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FOBMAL smsamcMmmwm paoest cmmmacAwsm avsmsam 

by 



Submlttad to ibm Di ^wt awnt erf laiirtrical SagtoMBliif 4»A Ccmq^wtw SdMUM 
oa Oetobnr 28, i^jj^ iwtt» tjIffflnwK qf aw i » pite— nf 

fM tt» StgBM of BMr af flinnwiiijr. 



On« of Ow auMt difftcolt taidu factag oonpirtMr actaitists is that of 
designing systcau aad aalOag fan that nmsr farfiem Hialr iatmdadi fuacltoaf 
correctly. Aa ^omviMit ^wtasi iMva ^mm ift alaa asA aaiqiAXitir, ^a 
problems of iqniMB <iaflgii «iii ws rffl c aaa a Imm IneBaMi toCTaaatiigly acnta. 
Formal ^aeifleattaai, wmn^ tm fteeisa iasciijilia a a «i m jQralam's fttaelkm, 
provlda a iMsis iar iiwiatnainlla< aprtiai njatiHw m wm m Jar i^iovi^ 
corractness. 

AltluMggk tteza bas baea matA unlit, ia Jocnal jgwdOcirtlim amA 
verification of mmj^lar |vt«raat«, z^l^valy tttHa lasaaich has bam #?«• mi 

Fac^Hit i if l mai i i B ri i l H ^ u' i iMii i lis 1 itt¥(iiifl^ ^iif ^liiltlaMirtltfflii 'mr rt 'liitf v^ i»^** 
that interact oaly by traaaaUttti^ pacJEiCs af ii^oiMitfiriu"^ Thaaa ays^as 
possess a aaabar of dastraUa s^ne^yii^ im» a i1l as ^m* wuim ^aa svttaMta 
for formal aai^nis. 

Wb ^wm to p slupea a ae«tf for fofailly daaoibliic the behawtor vi 
packet i^rstams aaui fov pioviai canectaass. The moM. is based oa tha f act 
that packat systems may ta viewed both mElanial^« ia tanas ^ th^ 
interactiaB with »te outride wacld, aad iolaraally, ia tanas of th^r 
structure eoaipOBtttoa ftom tmi^mt vmi%, ArfMcaml.igpslam is shown to ba 
correct by pwi^l^lidii <#« -W^ka ■- Ax^^^^yj^^^- wrwyimiiiag to tifeeae two 
views are eqaiyidmt. 

Our mottil iir ^sM «a prove the QonactBaas of three sample packat 
systems, mid a i^oand idhsaraelartiwtioa dt mesf&ic syMams is stated #aA 
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CHAPTER U INTROa^ClK^I 

1.1. Sy«tM& d«si£n M^^solfiei^toiL 

The fields of computer hardware and software both deal with the 
same fundamental joali building systems to perform designated functions. A 
hardware system is constructed from physical c6iBl»tte||ts, while a software 
system is realized by writing programs in a Itmguage implemented on some 
computer. As both hardware and software systems Juive grown in size and 
capability over the years, their structure and pjporation., have grown 
tremendously in complexity. This has made the task of des^ning systepu 
increasingly difficult, especially so for large, hi|^h^|erformance|yS(t,em5, It is 
important that both system designers and u««»rs have , confidence that their 
systems perform their functions as intended. Systrai testiijig,, (||f bugging and 
modification constitute a significant fraction of the time and expense involved 
in designing systems. The issues of making certain that a system being 
designed will operate correctly are thus of particular importance to both 
hardware and software system designers. 

Verifying the logical correctness of systnii dfifigns has been 
accomplished in practice mostly b:r "seat of the pjmts" tec^^niques. The 
drawbacks of such an informal approach are clean one can be intuitively 
certain that a system design is correct, but this is far from a guarantee of 
correctness. There are numerous "horror stories" about ^sterns that had to be 
redesigned or scrapped because their designis had serious conceyty.f I errors that 
went undetected in the verification process. Such errors indicate a lack of 
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understanding on th« firt of tb» iagigxm§ u to oxae^ what iwaeUtms the 

systems axe su^ftmA «» #«bJor8ii^<*i»lkdSMr *e^iM^Q aoaad ^ktentanding ^ 
the way a system operates, and la order to te sure that U btiutvu con^ctly, 
it is necessary to make use of >aide»r. ll a M ii n: l |) i ji i in . J»tii§# aMjiii > ui U >■' l^leel 
function. It Is for |ust this nasoa that the dtoc^line of formml 
specifications has aiisea. Spedfic^eas are descHitio&s ot the behavi<»r 
desired of a system, and a syaum is shmim to be ooneect Iqt vadfyiag that it 
satisfies Its spedfieatiions, /.«. <9«rates as it is iatoM to Mmv«. There are 
two si^f leant bttaef lit that may be re^£aed by ttsbig foaraal sgpecificatloas. 
First, it becomes pcoslUe to develop fiMrioal verification vMh^4^?V^i^^ which 
makes it fea^bte to gorov that systrau are oorfacUy daatgiMd to yocfrarm their 
intended laMtu. Second, fonnal descriptlffiu provide a mo^ through which 
Complex systems can be better understood. Thus, the task <tf gy$%ma design, 
may be facilitated through the study (tf f«raja aystem specif icatitm and 
verification techniques. 

Formal «;>ecification tecjhniques canp»t J» used l^in^ without 

considering the nature of the ^^ama baiag #as^^«d. . F^ 1«^ f9iQp}ey 
systems, the speciflcatioas may become so c a iH |p i te^ei af to j^ak* emmAfiim 
proofs intracubly difficult. HewevK, this px^lea can be alleviated by 
treating only ^mbse al^lt^as that satisfy "nice" fwg^wtlesr ijr iaslstlag oa 
appropriate syitMa conilaints tlMt auist U siAiseied, ««• can idratify classes 
of systems thit have m«re carderly and iirufffcured d^^ real sacrifice 

m functional capability. Through jod^iious uae <^ this coacavt <tf structured 
system dksigii, Ihe sjntiHtt desi|pMr cu ba awttzed W working with systems 
that can be tilore easily understood, deaoribed and veriflod. 



Formal specifications have been the center of much research activity 
within the software field [Rustin, 1172; UskovaM Berzins^ 19761. In 
addition, an entire discipline known as strtKtured progrtiiuming has arisen to 
study ideas of structured system design and tlielr rami^cations on the 
programming process pDijkstra, 1972; Wortman,l9^7f]/ However there has 
heetn relatively little research in correspondii^ areas of the hardware field. 
One might explain this difference by «^ng that there is a much greater 
concentration of theoreticians specializing tnsohwaafe than hardware, but 
tlteife is a mote ertidal uiideriyiiag reaiKm. t^udin ooirts'fdr^ sysiewis 

hive loiig been over siuido wed by ' tHe costs of s^^erials, falirication and 
asseni'biy. Once a machine lit into production, the design proce«! is ended; all 
further costs lie in replication and midntenanee. Vor tneM- cK^n^ 
the pl^sieal ^JttaterBc^n 9i ^jstemit it» tiW tut (tMttlmmt fietwr ia hardware 
developmtraitr Witls. m£Wna«, <m t^ oi^r ' lt«ad| dttHgit' *mms liave iikwkys 
predominuted,^ since i^m^rth^ Is rea^«i;ai pjv«v Itii(»MOvex« software 
systems are ds^^ned fm specie ^i^t^mtio^ it tli» ptiedAtiiis to be handled 
are changed; th#n the loij^ams muAi^^iiiten te iinii^fttea ^r tedesigned. 
Hardware systems avt gMi«r^*purpoM dn Hiat Cw « (^ngv ln ^i|i#tioatida it is 
the program^ai^ not the machine tl^% is sodi^Bd.^J^^ it thus far more 
transient than hardwse^ vy^ich makes dkiti^ tetts e^m^'ils^re important for 
8oftwai«. It is thetmiegm m& vmBAM ihaX^mtVai^immu^^tot^^ 
oBsd. j^pedifi<»t4(m niethodolegies have li^m xtreilgitft^ «lM^j»ffw«ir* field. 

Tlie rapid developments in semiconductor tedinology over the past 
few years are beginning to alter the economic balance in hardware 
development. Integrated circuit chips can be mass-produced at extremely low 
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cost. ConstmcUoB costs fear bacdwaxtt ^ystrats ai» Ass^g^fing, diamattcaUy as 
new fabrication techatqoM «• ee9iM«4, ^*o pfvetiM. J^aea. .Aactga, costa ara 
remaining essenti^Iy the suim, thay are tnoHBia^ iMca and mrara sii^oiCl^ant 
in relation to system divm^mmni. This aaus th4^ aj^sl*m.^ dtsicn tachni|[U!es 
and approaches wiU soc»| b« <m the atltiB4 a^ of hfpAwaxa tachaology. For 
large and complex syiMms, whost logical fuactloBS tn oQiacMUy d^flcul^ to 
comprehend and work with, the ig^roaches to iQ^itwai dedgn are even more 
crucial. It is thtrefore iiaportaat to of«& u|» a t|i«ra«ypi InvastigAtiom of 
formal specification and structuxad system dfij^ .nn|tho^.<>|gilas for hardwaro 
systems. And sinc» much of the ii^tiMive ii% tl^s.^i^ haf come from 
software research, it is aMurfl to Icxdi f or vra^ to, 4||!f4y aaw tac)||^^^ 
used in software dMlga to the hardware field. 

A. fartieulaor elaat of ayslama «aiM jnclM oMuttaol^^ 
which are dafloilwd^ Ift tho nuct aiettoi^ has bam-ich— aM.*o»' the^^ ^Aomsia ^Qv 
the research yaraaattad hara^ gickiits<irwOTBirttfaiHiiti j^waami a^ haaadt on a am 
of structural fvatM^iaa tiii^iteii iBBwi^i4e iaocvtiHK IwttAhfig oi Imtg^, 
hi|p^-p«cf9tmanca lyrt— i and which, also isiivort tiM 4MralavaBin&t of a 
theoretical ffamawotk for ioiiMi tjaciliioalioi aart ^Mnajtoaiaott* ^ilatlria lHo^s, 
we sha^ deyelw tegdoiiiftes ^oe fomal i^«itla«<flBak of thar.taiwwyior ttf ysdtitft 
ocHnmunication lyatraia. Wa i^iitiJ^ alaa iate « loek.^ a^ tha tarmaH 

specifioatiiaiiaa may immsiitttttmmim iMftfyiBft tiM taglM «orMcttass of thaaa 
systems. BaoMiaa thata Jmm JMNm ao tttlla\faigaal;i(«a«iyusfcyTiw<»orti^^ tor 
hardware system desijpi, specification and vwrificattoa, the rasaurch here myay 
be considered as the first st^ in a nf w diiaetkm. 
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1.2. Packet oommunioation arohiteoturt and ita background 

Packet communiMtioaajfMtfetttip.M a Mt c^^i*^^ to 

which systenis may \m cLdfi^Aad aa# :Sl^;v^mm^;z Wm mmm salirfying ^theao 
principles aire cqUecUvely Jcnown at j)fc|Eft qoT$m^9tion ^stemsK for 
brevity, they shaU also be caUed ffqJEet ^0imm \:M ^^P«i4s»se^ by BmnU in 
[Dennis, 197§b], paclwt systems , |^ e^atial^ i^ater^^j^Bcttons of 
indepepdenUy functioiiin^ unitf that ^j^gact oi^ M «#ft4tl« •ach other 
packets pf ijiformatipn. The tafQimaMoa qe^tfiiitii ta *: packet may have 
arbitrarily coniplex structure. 

In this researehr we have tikea a particuiar point of view, 
regarding packet 2^t«Bc as b^ngphystea^ cdn^Mi^ frOm hardware uhits. 
Some of the important «oaceH« «ti»ieriyi<^ paclu^ (»nin4tttcatioii architecture 
are particularly advantageous when implied 1o the design aOBd iitii^lement^tion 
Of hardware systems. It is equally vaU<^<hf|«h^ to i«ap packet 

systems in software. There are no e*ia*U>g;^hniftti(«fe*form41y specifying 
or yerifjring packet systems vie^^ f rom i^tif ^^^ 

work here may also be seen as an advi^;^ M^tha study of .software 
specif icatipn as well. 

There are two particular notions from the study 6f structured 
programming that are directly siip^rted by the principles of packet 
communication architecture: isodofarfty and >^eri^ thiese h^oris play a 
large role in the suitability of applying formal i^if deration techniques to 
packet systems. 
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composing them f i^oa 4BakailK luUis «i^U«d modalim. Hm JhMic Mm is ilMt the 

use of a mddt^e liHtaftiiiAed l¥oi# "^^ 

la 'thiS'Weir, e .iB«t«1i M* lie^livildpia.lii timgii Iv^yeis ^S^e^ai*"^!:^ 

'modui<i»s. ' The-' MMM^'^^itf 'woftiilef^ -^jitf -atiMiiJfclii'^tf' aiOM '4eiuail ' fa 

{Mye», 1975t IMttiwi, ^97^ Seidiia, t9ft^ in'^iliiMir Itf « loet^Mcia 

f^r siipiM»?U&|g iMdi4«ii^ la ec^P^iKKre i^^ df data 

abstract jon |2iidt)0V «d 'Wmm,--WH% A diits^to iil^' Igoal ll» if&sduXer 

^ajestems is '^hM-imUMUm&-^-mMi»^»'^iit'^^-it^*0^^ 

possible. This ^oal caa be refused ^ ma3tita^i!akMBdSkiM''m^^ 

modules as ^laj^ , ^rtj^uetf re| ^ jeagMdy./ thmmh. 9 tci»«iu etNai-definad 

interfaces. 4|mG^)i<h tlMi> < i Aw |;B t< |g w «f ..^I^^^Mr jjinilfill^ ^ammM prft fl|Mr« 

the issue^.^ of..dM^^U|^,.^wh«S!^./tO;#^ iai!^op«& 

pyoWeflU;\We,shaJi i»t,iin>pli<««e,^tj^ /..■„.. 

llke'i^Miaii oTMIixirc^ tttUtei''#^lii0# %;^«^'iy^'%e' viewed axid 
'descril>ed^ ' -. #> '«li»ttNSiilii^ '^#itc«iKi«i^^^^M«B^lk oiM^Uiiil^lilj^' W'sl^Mifiilsia 
into ' difreiwM ^mMm iat ^xmiempi!^' ditij&''^'liii^^'li#^''%uiu^' 'use '^ 
mechauisma vmcm laiiiniil AiMIi ari^hlia^'»»«r# i& 'Som^ lei^£ £a^ 
mechanism within ^e ^stem is used at Mg^, metn liffbadt UliniSs i3i«xi 
where it is jd«f inp4» in, tlOs w«^4.)eif^M:<AKi|l J^^lwlatud .^t.^^Sut it will 
not , interfere, .with.. hA^iHNrl*^ mmmW^ ^^^m-^ Wm ^i^l^Bi^i,; \3a»,:-lNiaiic 
principles^ 4^d c<p«4i>ts laf j^aiapchi? ^4i^ 4|pi^pi,JMi(i .|iiis^ jpfpaii^ J^ ^mtm 
[Parnas, 4974; Sira««^,ljBi3^3,. ,... . ,.,h, ...,. .,»-..'. ,o- 
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The properties of modularity and hierarchy make systems in general 
easier to understand and work with. Each module in a hierarchical and 
modular system has a set of "neiglhibor" modules with which it communicates. 
The behavior of a given module depends on the conventions by which it 
interacts with its neighbors, but it is completely indepeiident of the Internal 
characteristics of the otlier modules In the system. Consequently, the designer 
of a module neled not wofry about what goes inside any other modules; the 
only relevant concerns are the internal "construction and the interface 
cdnventieSis for the particular modMieMng^Mlj^wi. 3^ this way, deisign 
iaiformation is partitioned along the boundaries of Vhe modules, insulating the 
system designer from irrelevant detail. This insulation is further enhanced in 
hier^clilc^l l^stem stirucfures. Each level of abstraction in the hierarchy is 
isolated from the other levels. The designer of a mddule has to know the 
external beliilvioral characteristics of the subtnodules from which the module, 
is composed, Wt the internal structures of IMlf'suiigftodules sl^ould be totally 
irrelevant to the deisi^ olT the ^iven liiodule. ^ %U8, systiriins that are both 
modular and hierarchical have two dimensions aloiyg which design details are 
partitioned. When fiie structure dif a ^stem prevents certain design 
information from affecting areas it does not oaacern, the system design is 
simpler to ui^ei^tjdsd^ €&mc»pmA wiia^gmAV^ 4s ^^ ma. -■ tMiPtH^^tt ^^ign goal 
w^enei^rv s}|st8m^»cifkaili» aai« vtiifiei^Kl^^ mm mm^^liMiL iato account. 

Although the concepts of modUlaHty wd hiwarchy have been given 
far less theoretical attention in relation to hardware than software, they are 
almost universally regarded as fundamental to good hardware design practice. 
Hardware systems have for a long time been built up from modules such as 



adders, dodes mA aMtt ri#iteia» aaA uam tbmm to «ft wwi ISBM^m? vu^ty oC 
off-thft^slbi^l cowpiwiiif cSi^ to 9s» ac ao^ete. iki a ly^g^MC kravl of 
abstrJKrtion, a tj^iii^ miaeoaxmpvLbK is cawtpatil ^ <fc a^eznqfocassez, some 
RAM storage, l/Q (teivws and tmlacfafEsa <dtaBH»^ Ea^ of tiMsa q«3B^»oaaat& 
can be trsatad « » modeab^ »a& ^^mm naittlaa eaa tiMspiMd^vM be deoaagqpMwd. 



For example, tbe psssannr 1^ m^^ m^afn^ m .•if»V^ ,v#gk^: xsi^^wrf^ 
gating logic, 81 iiatiinctlim darator «id ot&ar CTBmwwmtii l^we saOMtodules 
can in turn ba fvai&ux daearaiosad. Tbia aawgnite .riMwjgi ...toy di|citj4. lystem 
design exhlbtta biviwec^iad. «id juq&^Laf propffttgt.,,.. Ik jpMa|k|» tlaec*, 
properties are reallzid 1^ iatiili|^t syaum dMig^ bat tJtuqf we difficult to 
achieve when <tesigj^m 1«|^ ooaptMiag qratama. Ittaum socIl ae virtual 
memory, multl^ua«E ^viroaaanil&. Bix^lM jmegmmm^M^ Md tll# aamtijig. of 



data among ^ffwMit |«ocewiM a— , diffieitjit tft npM^ t^igt «» ^jtu^Lly 
implemented ^ psacKto» ei^iK t^ rtmulji^^ ^^»»i .^ ff^tii^HRe ^ bar. adi#iA& 
new compoae&ts aa a£tM^»ni^dMi to a bwtg Vipat- IffBiiTiU'ft ,iDrjpchtBi.e>.,,, .The- 
interactions junong Uina addad con^^inuffi^ a^ ^a^^^if^ b^t ^i^o^u^ is. 
nature, which is oiw of the rauMU w^ liPge esm^tiiiig. ^s^ovs ^nt so 
difficult to build. PaelbM c<wiCTRtBly.a^m.^.M«^ttta^|p^,^ y,--^***- ^^U^ ste^ 
provides direct sui^oct fi» hJerarcb^ uid modulaclty-. , 



modules i&: mwK3mli^gffmm^mmalmBiim:'iSm^.^\Mtm^ 

comprise it. Padwt a^rttaiHf c«i aoit^ be stxuetund so th^ ^'f^: modules 
correspond to t&e cmn^ftuai units ia> the d«^i|ps«*s vievir eC tibe, a^jissem. 
Further, the psineisiia* ol padut eommymigiifaai asc^taetwA; aSOam t£h» 
modules th^ form a paekat ^nem to be yUmnid iati^i^uiUlsr m sfstMna tha^ 
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may themselves be decomposed into interconnected component modules. This 
hierarchical property of packet systems provides some of the major conceptual 
foundations of the approach to specification and verification that will be 
d.evelop€d. By making hierarchy and modularity explicit, packet 

communication architecture not only facilitates formal specification and 
verification, but in addition serves to encourage good system design practice. 

One of the most important design goals for packet systems is that 
the modules within a system operate as independently as possible. In support 
of this goal, it is required that modules communicate with each other by 
passing packets asynchronously. This principle eliminates the need for a 
centralized control facility to coordinate the action of all the modules, which 
greatly simplifies system structure. Moreover, it provides for concurrent 
operation of the modules, leading to enhanced system performance. A module, 
while awaiting response from other modules in order to perform certain tasks, 
can busy itself with other tasks for which the required responses have 
already arrived. An operation may proceed as soon as the information it needs 
is received, as opposed to what happens with conventional architectures, in 
which operations cannot be performed until tliey are explicitly initiated by 
the sequential control. It is this distinction that provides for concurrency and 
thus allows packet systems to make more effective use of the available 
resources than do conventional large systems. 

The microcomputer example given iTJQve exhibits a number of 
hierarchical levels of abstraction. It may be noted that the interfaces between 
modules at different levels of the hierarchy have completely different 
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characteristics. At tlM top l«vel, one deals with trsasxBfissioa of applications 
data; within the micYoproG«stor, raicroiiistructioas are passed; and at a still 
lower level, it is basic locical signals that are passed and gated. In digital 
systems as they are currently design«L, interface protocols depend oa the speed 
at which the various modules procMS control voA data signals. This 
dependence limits the degree of modularity that can \m achieved in existing 
systems, since a module's interface with its outside world is not free of 
internal speed and tliaing o»udidi»rations. 

Paclcet syMems are not sute^t to such l^aita^icms; one of their 
important properties is that the timiag ^iia^mnUtics M an iadivMual module 
in a packet system do not affect the operaticm ai any othnr module. A 
module in a packet syg^m can be re^aced with uisOusi unit that performs 
the same task ord«rs of it«gniti»to fj^«r er Slower Hum the ocigixud module, 
and this change Will not alter the logical functioning of the system. Packet 
systems are thus speed indep«&dent, which removes from the d^igner the 
burden of having to take into account the sp—A and timing properties of 
system components in order to assure logical correctnus. Speed independence 
enhances th« deipree of modularity in a systMn and thus provides an additional 
element of structuring in systems, which further aoists system design and 
verification. It should be noted that a ^^rstem must operate a^oichronously in 
order to achieve the goal of speed independence. PMket systems, since they 
are speed independent, can accommodate a uniform protocol for communication 
0f packeu aasMHig their c^npcment moduUs. This iuii^nnity of interface 
providds the basis for the method df system spec^ication that will be 
descrilHMl h«r<k. 
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the idea of bufldinig systems by cdnnectioys independent modules 
under an asynchronbuis and sipeed-inde^ndent discipline is not new. An early 
exposition was Ifiven by Muller (lifCtillw/ tsedj. There was a major research 
effort several ^^riiirs later directed tsowards reaUsinc systems that were to be 
physically - dbnstructttd from hardware units called macromodUifes 
[Omsteitt, 19fi7]. , Faitil has isiviHtliatad lo^cal ditticns for modules with 
Which asynchronous systems may be'luiit [BmoaIs and Patil, 1971], and more 
recently he has been iW^)rkin£ with a|pl^^li£ propamimible lo^ arrays to this 
task CPatil, 1975}. All of theM l^^ns dlfl^ from packet communication 
architecture in that control signals and iUta values are passed through the 
systems separately, tnhreling on two distinct Sets of communication pathways. 
In paclMt systems, the ttotions of control and ^ta are unified, eliminating the 
need for separate pathways. This is yet another respect in which the 
principles of packet oimmunication andiitecture serve to simplify system 
structure. 

'Since packet systexns opitattf <^nctUT«pttfy, a significant area of 
a^ication for pacltet Oommunicatiic^ ardiitecture lu»s in realijEing computer 
aystetiis that provide dlrict sii^kpon fir jM^i^ pt^^ If different 

parts of a program cair te executed i^ j^^^iIEil,^eiEi it is «lvantageous to run 
the program «l a inaehiiie flil ityhich the hardware can overlap their 
execution. In this tliy, onie can optiniij^ ninning i^eed and utilization of 
resourctts such as memory, p»)c^S8in^ elwaents uid periph^ The 

study of d«ta flov^ eoi&putation has j^isely this go^ in mind. DaU flow is 
the repnraehtation of programs in such a way as to make the data 
depend^tctes and tS^SareM ^illeli^^M operations 0| 
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and Oz in a 4«a flow ^oipaai, li Hb^mi b* tewa^^ptii^, .^g^wmst from th« 
program stmci^M ii^Mtiunr Oj ^nmM to yni^aswrt ^i^n» %. wh«tii«r O, 
needs results of Og ia order to be p^on^ <Hr w*if^,,Pr.«ad ^ are 
independent (can be Aam in ptraU^}. J^ Hvir f» y«f"-*?t £. h^ Ipaa 
treated extenslv«»^ la tiM Utottture; far ta^ w^fp^^ jHi4 r«l^ipiictts.>^sa« 
[Dennis, 1976aj Waag. 1875]. S^bi^tp ^rt.Mm <»^ Into «UM^ii« 
designs for macliinaf that can 4itf^B^ mi ifftkeimny mua^ 
programs [Rumbau«li, 1976j D«^if, 197^ Bii|i^. Ifrs^l^ 4^ 
Plas. 1976}. On luch a maciiiii*, tb«» |f ao ttffwfiini of iTBiftTiirtloan «n 
instruction may ba aiMca^ fay |jyaM j«lir iti j^^ ]?«:08w n4¥ail«^l«. 
This is essentially tha iimm pr^i^gipto ^ j^i^ j^ 

modules withia a pM^ut «ri|«ai M,f«^ ti^ ^p^^^ 9<!^dE^ 43R|Ft«^ l*fV« 
been directly iaflUMtcad by tlM JWfaifBh la %i^ii||^l|MK ^^||^itwtuf«s to 
implement dMa How. 

The cottOBptoal compatibility b«tw«» tlw l^as of dau f low iad 
packet commttaicattoa vchitecture yia^ a ai^it|»l c«fta«cfi(^ between them. 
In a packet system, ^e activity that ^^ p}ac« wjthla a mo<lule 4» 4nl^i««d 
by the arrival of th« ap|ffcq>r^ da|t,piqJw^ T^ll» ^m» «a^pUcit s<»«^m^M^ 
of operations in data ftow pro|Mia«, tod it i^ld ht pri^mcalr to iiaplfii^itt 
them on systems that dp not ra«ut» orderf^a^2$i«u»s of iBstrtwUoas as ,tlH»ir 
programs. This is i»e ei thm motivatiai; tmm» .NWml tha co^ceptioa of 
packet commtialcation aiwhitecture. Moat ogiu cesf^i^ a^ far Snm mj&w or 
original, but it is the eembiaatioa that i^^ms » ^labl^ ^r i^mxim 4««a 
flow computation ia h«;dwara. ConvKaeiy^ d«ta Om^ to « a«»ieil w^y to 
represent programs that will run on proqafimrs toiif^ accoz^iAC to Jh« 
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prindplM of pacXtt communicatloii 'u»iilt«ctur«. Thus, there is a 
commonality betwaeli dau flow and packet tygtazna ihat ariaes because they 
shas* aimilar^goals^and prtacdj^es. c , 



there is one more property of packet ^sterns that should be noted 
lliere. The behavior of a packet system (or of any of its modules) is 
observable in terms of the packets it sends out in response to the packets it 
receiires. In general, packet systems are nojideterminate, which means that 
given the packets received by a module, there may be several distinct but 
equally valid responses to the input, ilondeterminacy is one of the factors 
that make the behavior of packet systems difficult to understand and 
formalize. This will have a definite bearing on the approach Uken here 
towards specif ication and verification. 

, r.- ■ : - 

This concludes the overview of the basic ideas of packet 
communication architecture. The principal reMon why j^ki^t systems yrare 
chosen for this research is that their design is structured in a way that 
supports system specification and verification. The next Mction presents an 
overview of some of the major concepts and, technique* that have been 
developed for formal specification of computer proigrainii and wftemf. 

1.3. Formal specif ieationa 

Much of the research concerned with formally describing the 
activity within computer systems has dealt with programming language 
specifications. There are essentially three basic approaches to describing the 
behavior specified by a piece of program texts txiomtiLic, denotational and 
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operational. £«eh ai^roach may b« ai^^^ to imi^f^ Um smrfct^iMss ot 
program taxt as wail as aarvi&g as a pura^tencarli^^ valilt^ 

Axiomatic specifications capture thaig^K^ of MMtnt^ne « p:eg»«si 
by comparing properties of the system state Iwfore aii4 i^r execaUon. The 
paradigm "if assertion A is true before i^HJgram ^xt 1» i& executed, then 
assertion B is true tfter P is ejracutsd" desol^ the aHMaing of ^pgram text 
P. Special rules of inf^ence are Mt i^ to desci^be tiM, s^efi^lzk^ of y^yoi^s 
combinations of program texts in t«rBis oi \hata Gsm0s^«tiVi\ meaalngs; these 
rules incorporate the basic Mmantic ^ropertlas of,.a39s^ri^ts ai|ch 9i, it«e|U(Mi 
and conditionals. This a|^o«^ became Hamm ^k»<^^,t]fie,i|j^k oC Floa^ 
[Floyd, 1967] andHoare [Hoare, 1989] i]p. which it was U8«i t» |«oy« 
correctness of simple fliowchart-like programs that m^pi^e4 iat«i»rs. Tl» 
assertions th«y used nOatod values of psetfiwn iwriaUM. Th«r« has be«a a 
subiiitafntial amount of mora recent reau^wh in aaeiomatte pacifications. 
Oijkstra [tiiikstra, i97d| lias "^uilt up an «itire ai^»di^fl«y ^ j^ogramming 
around the ideas oiS axlomaUc q^eclfici^oa. Chvlcki aad C^ies [Owicki, 1976] 
extended Hoare's techniques to parallel prci^wBst thrtr assertions made use of 
auxiliary state variables to keep track of iateriam»ss coofdination. Greif 
[Greif. 1975] XoiSk. a different approach to paralM j«c^«ns, tising a partial 
time-ordering on evants to express coordination prgyjpytijiyi'-: 

Denotational specif ications capture «be effect of a program by 
viewing the objects they model as abstrwt math«nutical entities. This 
approach provides a ftmnal ma^amatiod <toeriptkm <tf the computational 
notions being treated. An early denotaticiial appRMC^ %o specif ications for 
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prograimating languagM Was the ajiplicitloii of a mathematical formalism 
known «b lambda calculus towal'ds diicffbiii| the semantics of Algol 60 
programt [Laadin, 1 966]. the Ust kaowtt woWk Itt dfeiSlational specifications 
has followed from the research of SiiStt aa^ Strwhey [Scott and 
St^ac^ey, 1971]. Mathemati6al results fWih lattice^ iwory are used in the 
construction of comji^ex domains ovw w^Liih ^oJi^aaM are represented as 
functions, {^ograau vm PXWit •q:s^aaSamJ^ idim«&isi that their functions 
coincide. A tutori#l prttiemation of Ihe JeottHltracli^ ^l^xeieh is £i^^in in 
[Tennentr.19763, , ..-.,-,.: -.:•.;;'..-.;-■■;■ 

Opierational specifications deal With the chinginjg states within 
computw: sjrstems is computations are pei'formed.^ "this is done by means of a 
state-transition mod^ In whiCh a state i»jMitt<^ information present in the 
system at a givea moment in time. ''¥he li^ttei oif '^a pfograin Is captured by 
the sequence of transitions of the modGal. th€ ieqtieiee ^ 4^ model 

passes thro^h as a program is eoticuted defltte* ^^iiltitii of an iziterpreter 
im the ^ogram. Tlwridea^of u^ng «uch in mim^ tS define the meaning 
of progr^ns iA some hmgui«e orlgfndted wfdi i^accsafthy [McCarthy, 1962]^ A 
well-known «pproechr tt» operaticiiial spiclficWlJ^ Is the \«enna ^Definition 
Language (VDL) described In [W^ijner, r972«J, whl^ Ises an Interpreter that 
manipulates tree-structuirid q^stem ststesi i^i^is' Ckmunon BaM Language 
[Denais, 1S71] is similar, dealing *iimhia<^^ie^r*liliriited graphs in place 
of trees. Another approach ttf operatioiMf siifWfti^i&ii jtl due to Parnas 
[Parnai^ 1972]. This appro«;h distingnishiltWo kinds of operations: those 
that yield state Anfonnation, and tluwe thit^*^alter tisl «ia<e of the system. 
Parnas applied his approach to operations on abstract data in programming 
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languages; this was mi^m&BA to t&« 4cbiu^ of jptta»^, ^^[iiMa% 187^]. 
Verification is axAi^mA wkm& «a oa^attoaal f raaywwwiii Ip^rpBOwisg tbM tke 
behavior of the interpri^r in coestio&.isjiiuiiMAflfit ^ 11^ 
that is known to perf<»:m the desired fu#Bti^ The, tdeacm^kerl^^ 
verification by in|er^«^ (^ItUvaJWice wia«e ^tomtofed by J4lte»r 
[Milner, 1971] and are alsp i^esented in |Wi8p«?» tmm^. 

as software i^MO^Eteattoft, v^wdr Ms l«e& » iHAMti^ia «m>ii^ oi stistfy of 
computer hardwaare dMcription lan^va^i icmo^'t^. The aj^Couhtts laicea 
towards hardware specification haw been .i&sam m(0x^^,^ opiwational. The 
language APL, before it was ey«r ip^^^m^ aft 4i, j^^ Im^eaa^, 

was used as a hardwire 4esq1^|Qn l«B^a^, to iincstllr thi> i^ipa^tioa of 
IBM/360 computers [Fa^oit. 1914]. im^^ SmL, jemtA PR. was 4ev>^i^eA 
by Bell and Newell jBell ffiul NeweU, 1S71] to tea^^be Jh» 43iMi»tij9» of a 
large number of d^frent c^ftpttters. Bfili vi ^m^ C^^ #e8efia»e tiie^ 
target systems at the iBstr«|<^tiQn set l«v9l, tii^iai^i^ ji|^^ vttwSat Jt^ m ?tm^c 
data type with (^watioiis for bs^ta mtmitkm m^ ^^^^ 
logical functions. On the ot^ h«&d, tha ^^a||s^i«ft ^yS$| wM^ was ^^ap 
developed by Bell and Ne^irell [BeU and t^iif^ 197l|, 4eacribes ^ke stmi^^*^* 
of computer systeau in ^rms of ^.their..,^ |ipipfo»ifa| ■ _^ni!«<aMfSors. meraorJas, 
controllers and I/O dfvlcws. This is an mms^ «r a ^XP«a;, dascriblag «ytlN«s 
from a higher-level oc»^9ptttal point of view., IBH. R»eta»^ii«r» lS743fis an 
example of a lower-level CHDL that defines j^e behdo^or of eleisipu ^ f^ 
multipliers by specifyijag them as. jlpterconnttstions of Aiasi^ l(«ic gjates. 
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Most of the CHDL's have been developed with tvro particular goals 
in mindi automatmi system design, and isystem testing by means of 
simulation. However, the microprogram certification project at IBM has 
developed an ai^roach to hai4war<» cj^fem i^tecifis^ directed 

towards formal veriflcatlwi of sy»teni dw^ft {Kmaia, 1074]. For t)0th the 
instruction execution Imrel and the microproi^m le^l, a VDL-style interpreter 
is used to supply fonnal specif ieaHoss. Wiso wro Intwrpreters are then 
proved equiv^ent ^ exactly the sttse way that oH^ proved in 

operational specifications for programming languages as desciiWd above. The 
proof teehniquw for this appF<9ic3i are ■dditionally described in 
[Leeman, 1976j Leeman, ISTTJi Rumbau^ takes a slmliar approach to the 
IBM group in i^^ving the c»rrectn«B8 ef a data flow processor 
[Rumbaugh, 1S75}. H« ilhows 4hat an interpreters for his machine is 
^uivalent to one th^ motels the operati^is li^ aniatft flow language. 

1.4. The approach to be presented 

The remarch in specifications that has been reviewed here cannot be 
directly applied to the task of formally describing alld verifying packet 
systems. The principal reason for Uiis is that coixvMi^iraal techniques are not 
equipped to handle the asynchronous operation of > packet AQf^stepis. The 
concurrency in packet systems maJces it ^y^icuU |o v^ify their correctness: 
in order to establish seme property of a p«ek«t n^stwi. it must beijifSkown true 
for all possibl^f sequencings of packet transmissioait and receptions within the 
system. Most existing techniques for formal ^pef^Hcations do not. lend 
themselves to this kind of task. Moreover, the notion of sequencing of 
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actions, which is fundamental to nearly ^l the aiproachfs that hAve been 
taken towards formal specifications, is not presnU in the rantext qf oacket 

,. . . ...... . - ,- ,-.- -^ ■.,,. • ., - .-.-I'-.' » ■•■ ;i . . *f .-r ■ 

,.■■■,, ... ;^v.'' . • u ;. .. ti. • ' ■-•- 

systems. 

Ther* is a 4||i»i»tive Joi9i«Usn«,^?<rtfi jMts, Jb«t M« bMn 4m«iapai 
specifically for ^fBs^y|i|&«iim(^ieeii«u»;|i^««ir «ittiilitis9«tfla»» < P«arl^ mtea 
[Pet§ispn, 1877] ate, diiMcMJiAP^iOrWlilcb mx^mxm C9ilmk.XakBam 9*» 
along the arcs aod ths^pch^ ti^ vvc^^m M-imM^:-$km-0«ieactmKK%--- of vrnviows 
eveiits, Altho^l^ they ha%w f eqi^Bwd ]»u4||r iileaiiEHS £^^ imffaard 

LP^Ul. 1870; H«pk» 1^70]^ they Gani^.h» 4^ip^l|riinrt*iA«i0'««!if3«ia^ 
systetas. Petri nets coawf^ only coi^zsl^j^ifonMMmi in tsMilii «oBriUil>tiBS 
concvurreat actlviti/isi^ t^, ai«UM ol. ttlMfe »ctil4tlWiis lN^«tt&i»c^ 
particular, th^ da not. treat d«ta vaixm fliat ant^/jiipsadi withto p«&k0t 
sys^ffiii. Also,, although oiaiP matiieisiiiia^ mtmftkmhKm imgiL mttmttSm^ 
for Petri B«ts» jbo. v^lt^tel^gyj Jiavr^iim! 4»>ilB»iifex ftex ; apv^ntaCT ^ ^wnt ;te 
system verification. Mwt ctf their practioti ^^Ictioas have been in, 
connection with j^mulating asyi^hnuieus behavimr rather th«a. proving 
jprope^t^es of K^ttmns,, JxaJibM^ xmmmgS^t'^'^^ if J^jiiiU^ *o meet the 
goals of specif toiAi^ and^^^KijOlpattoa. 0^ 

Wi^in a paeliit ^nstesii me '%eiiileiP rttiei^ i&Ji process "ihpttt 
packets, c6tmmat» wiw pait^iatt for m^tm- ^^fedf^ *i»3i^ ^-^em o^t, adl 
asynchnanmuOy ^nd i» i^alU^ ^I^ Itii^ "^ ap9#6Uelt l^tt iwlits tet>st suttisd 
to speetf^rin# tMe kittd ^r natiw^ is listc^l^ ^i^if^iisaitf itt iiatare^ ^tlte 
state <ai » paekM s|wt«ai iesm^w wiU^ pieliils^^ lw#i iMitt ^ioi^ "betwotal 
which modi^ec iaai, aiilP' li^o «tt&v«y ahy^iMiit^toMi^ relev«fir id 
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the correct operaUon of the wsl^). How»vw. ounttke coaveatlonal 
operational models, the tsaoi^oM l»t^v«m »tat« »«d to 1» ^v«^ aot by 
an ext^iMilly sujy>Ufil sequence pf ln*ter«^«»» ^ ^ i^we»«t by the system, 
but rather by the w^atpce ^r ^micm^mM^sm a»)Mwtod-f or processing. 
T^is means t^at an ojejr»tio»al fflo4<A tat a »Ma^siy«em must talt« into 
account th« many p<>»i3^ mm^mit f^m^emomMmi. <mi:k^^»xi$9 from the 
flow of packets. 

Dtecrtblng the internal operation of J>acket systems is not sufficient 
by itself ft» ^rlflea^m purposes. There m^st alio be a method for 
s^cifying th« logical function a system is expected to perform. This function 
concernSF the systems Japul/mitput behaviw as seen by the outside world in 
terms of packets receiviad and sent out. Of the three 'kinds of' approaches to 
specifications as discussed in the previous" section, a ' denotational approach 
seerasr best suited for our needs because H Can be easily tailored to describe 
sequences of packets that have been passed IwtWeen various modules. Because 
of thi« flexibility, a denotational approach will also interface nicely with the 
hierarchtca structuring of packet systems. Tlius.' we shall be working with 
two kinds of specifications for packet systems operational specifications to 
describe the intesiwl opeitticm, tad d«ot*aaitl uteifieatii^frto describe their 
bel^^vior in relation to «ie outjdde woriai^H Ww^SiWWii of cor^ictness for a 
packet .syst^ l«iU ^ d«aonstratid *|r ^roi^l^ ^W ^ese two sets of 
specif ^c^tixms for th9 system a^fee with each odi«r. 

A tecent research efft>h is specifically directed towards formally 
describing the structure and behavior of packet communication systems. The 
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SiUguM*^ nihtafe if riatraiaott te^ pMHis M>P^ flwra iit ««Mr wa^rs in 
wMicii • lyiinii MQi M i>wiiii M Aifii ' mmi i mi^ ^''imt Miiinociay. A 
oiriiclvnA d— tipttoa «iHi»ilHttia# lii# «mp HiliiR Is fonMidr as «& 
iatanmiMetloii «t lawiitiHi. A WkimmtVf^ Hmtttukm li «« ofwi^Mul 
chwwctMlMMiflli' at^ tiw^ ■iiiaa*! iMiatiLllliii >i»Wi tfii^ mimt* wol^ i—tiiMa^ 
iwcapttoi, pfacawtei airil tiraimtimtwi af isdivlteal fadMli. tiur aoca^Mi 
used hara la atettur to tk» .fWUfjiiiMtm, tiHii.iiP . ip|ea|,. EMK^lit t971], «d 
tha UBdarlylac a aa iyttea tn f^ .Baaadjp |ti| wrfm^^m.fj- #lf <!«»' 44* * 
first ii^proaek to fiaelsi packat syptwitf ^ ^op .a. jftwgpia'^- t ttaf ^a tki^ , AK.^^ Iwth 
helpful and ain«t»natHi<, Hovraiwr,, tlM|^j^^^|«i^ ff 4Vf<;tQ#ii tM^ ^»>*V9«l 
operation of a 9a^wi_«|«ti«i Jb^ Slif AIH< 

framework. TlHi iioa, l^i^jH^ kai |M|| Iwi* s^aiiid jpifliloiu|jr«, lai cc^cl^ fte 
verifying the eorrso^Mas pt nvfrniDi jte ji l|||imdl^eiA aa^ «P^b|h( <>wiil < wi . 
The devak^amit of ^is 0(K|t^^ M, ^ J^ 

research. The ^matms^ ^^gft^0,.,^j^ lit .p|rfl t» ^i^) tfMpMH ior 
specif yla« tha tmu^Jbam ei Mfmmu tmm ffiO^ !• I» jmm faaMp^ipi t» «•• 
thttA the 9§m0ttaaA attf«adi f«i«p|(| ti^Mi*. 



tlie ho^ ..or IMS thUii oalfcatm of Mnut chijiaii.- Chiqptor 2 
describe* the , taiio iaim!.ii!ai. of pielMt ipaioMi is^HMfm AotaB. Thm ai^oi t^ 
cOTZvcti^as i« jiftiii^ «■§ « taiintlwi ifor iMo^ttii 1M ^rtrttet«a«l 
compoaltimi of paolHrt qwteBa is tiao gi a at a l i fa i i it a l a ii|'iiift ty the 
deaotatimid port of Um paehst iyvtas a!fet|i6«^N|ii«. ^ ha^avior of a 
packet systaM or flMdvle is fcrauUy dtftead « a «al«MM» bftfriaA tip yodMia 
it raortvos as iapit vhI ttM ewrs^aadlm pa^wts arat out ia 
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Chapter 4 motivates and deftnes the central concepta of the research, giving 
an operational characterisation of the actions that take place within a packet 
system. Chapter 5 shows how the specificaUon model deiftsNiM^ in the two 
preceding chapters may be appUed to the task of verifying correctness of 
packet systems. Three sample systems are proven correct, and a theorem is 
presented to show how the model may be simpliftod in certain cases. 
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2.1. Qv«i:|j;t«lir \. ..^. ^ 

will be •Iw^AaibtA ia d«t«a. Wt dSuOl daiifsr ^w aattoR ^ « |«elbtt lyt tern 
and develop • bmwu for fonnaHy i!ieirrmiB< tlui Ura^iusia eonfOilUoB of 
such a syftem. We wtU tSma lafffinMltir iuteoiaee tlM emuMqpt of eorrect&MC 
for packet sjrstenu. Tlie mM^iaMir neeirt to fonMliy defise wnA prove 
correct&eie wiU be ^am&io^f&i ^ Ch^^m 9 mA 4. 

^ ^w^F-^^^^w ep'^'-Poe^Mip^Vi^M^Rpei^v^^eiRpft ^we^pAAiev^^w vwh^^e -•^^ ^b ^iPoe^^eflM^ip#^ew^p ^i^^^tWwP'^^mj ^ ^ ^ wp^ ^* 

special class of ^steas kaowa «• pac3m jgrstsMs. PaduH syi^aois are 
composed of indepeateBtlr fnacttoalng units. kaoMni u mkMtt, which 
interact only by pMstBg iafenB^Mi to Mdi othnr. Hie iafffinft^km is passed 
in the form oT anits otUed pacimtt. l^Mue is so oMLtr^OiaMNai facility for 
coordinating the actina of the aodulM. Sttta lOTreettai «ad <m»iaEittnioatio& 
within packM systems «e mymianmmM, aad the varioiu moftnles operate 
concurrently. 

In a packet igfttm, the vuioas roodales «pe IntereoBnected through 
one-way dau paths knows as ehaanels. A ehis&el ocmsecti two modules is 
a specified direction and is used to pass data from the first auadule to the 
second. Chaasels leading iato a module no e^ed laput eimnxmi* for the 
module, and chann^ leading out we called oatpm eMmntlM. A pn^tet system 
has its own set of isput aad output channels eaaaaetlsg it to the mitside 
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world. The other ends of these channels are never explicitly designated. 

The structure of a packet system is determined by the way it is 
composed from modules and channels, and always remains fixed for a 
particular system. Modules and channels within a system are uniquely 
named. Figure 2.1-1 depicts a packet system DAS composed from three 
modules D, A and S. There is one system input channel X and two system 
output channels Y and Z. The internal channel U connects module D to 
module A, and channel V connects module D to module S. 




Figure 2.1-1: A sample packet system DAS. 



All data treated by a packet system appear in the form of packets, 
which are passed along the various channels of the system. Each packet 
carries a value of some type. The modules in a packet system all have the 
same basic principle of operation: a module receives packets on its input 
channels, processes them internally and generates packets to be sent out on its 
output channels. This principle applies to entire packet systems Just as it 
does to their individual component modules. Packet systems are data-driven 
in the sense that the progress of a computation in a packet system is 



There «x« two iafr«iteats w^teh tcgetbti: AiitiiBiiif tii«>lMhavior of 
a packet sjrstem: its structure aad ^e ^^havio: of 4t^ ip»)4ules. i7hi»r -^or 
instan<», in os&er to dMcrlbe hmv the qrvtem 01$ aq^, oa^ mmt ttsst ctocito 
what the modules D, A jbb^ S do. m% .m&w ji^m^s0lm. th$ ItgiSimfkac etfr^MNM 
three modules. 



All thzm SBodulii Ma^vt «Bd 4M«'lbU«gUMti«|i3M pieimi. ^Moi^ito 
A. upon receiving a ip^i^p^ from itt liWm^cteaaMl ^.^;i^ 
and sends out the inoEwnwated talue as a fa^BM m. its output i^maol Y. 
Module S behaws ^ImttoaUy mtomi tm JBihtiwrttn om tuMwd of ««ldtii£. 
Module duipUoataft thb nfSmim it too^vw <m X, «lait^ «it Iteatteol cc^^os 
on U and V. 

Given these descr^tions, it is iwt h«d to figure out how sjrstem 
DAS acts. Any- paciut ^j^t ^tmm. K it eofMl opytp ^M»m1 6h«taols U «Bd V. 
The pacl&et pass«l cox U will be tttcrwiwated cad a^t mit on Y; the packed 
passed on V will be licinaibiiid ' alii aaat out on 1. Thus w»h pwkot 
received by DAS causes xvfo fuBkam to be ||niasiliii> §4|f^fipt iv^il value one 
greater on Y and a packet «^th value one lass cm Z. 



Zt joi^ mem Jo mmm amdns im» tiMt i^mm ^^araitMM^teitloiiB «ro 
incomplete. ThMw vit...'aniatjttntty.. jfai' idoaectiiii' •8W«»t^^1ti|goni whnf Mf«i^ 
packet^ are to be wmmmA in amoMBeet ia iw^at mxmei ms» ittadltliig pK9t«t8 
generated aaaA. masn^ 4n ^»ur Mcamt**- yw iwm »adiW» aucii >^qf»eBtioi»s %^ 
8tipul«tis£ th«t tiM 90ki^t\mtti^M M ^m^ 
Precise Aflthods Jor idMUag mi;^ ^aastieBi «f HOP Mt«io -wiai be Ji tilVrtl lot. 
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the next chapter. 

Z.2, A closer look ^t pMdMt cystema 

In this section the workings of packet systems will be examined in 
greater detail. The first thing we discuss is one of the fundamental 
properties they satisfy: the internal resources of a packet module or packet 
system may be alloceted and utilized in any arbitrary manner as long as the 
specified operations will be performed correctly. Consider, for example, the 
system DAS from the previous section when it' is in a state depicted in figure 
2.2-1. An input packet with value 2 has been received on the X channel and 
processed by the D module, leaving copies of the packet on channels U and V. 
Another packet With VAlue 5 is still waiting dn channel X to be processed by 
the system. 
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Figure 2.2-1: A sample state of system OAS. 



There are three actions that should now be performed within the system: 
(1) module A absorbing and processing the packet on channel U; (2) module S 
processing the packet on V; and (3) system DAS accepting the packet from 
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channel X and initiating its proc^ssinj in iiu>dul« D. The crucial property of 
packet systems exhibited here is that these three actimu may te performed in 
any order, serially or concurrenUy, and t&e omsim ^ieMtioa ori$fst«n 0/^S 
will be completely independent of whatever particular order is chosen. It is 
this property that mal^M the behavior of packet systems £«uiinely 
asynchronous. 

We can gain a better understandiiyt of the iKtion of packet a^rstems 
by taking a more detailed view of the op^ii^on of Jhtlr c^mpoMnt. modules. 
When a module receives a pacl^t from one of its ia^ut chanatls, tt >«0os to 
process the packet internally. Sometimes tlM (»ily effect of the packet's 
absorption is that the module's internal state may chini^^. &i 4t«nf»ral« though, 
the module's semanUci m^r require that It jMi^ie o^ ©r lioi^ jeclMts to h« 
sent out on its output channels in reply to the packet rectiiMd^ Hm 
sequences of pack««s generated by a module in reply to a pa^m received are 
said to be the module's respeiise U) thiA packet. It is important to note that 
a module's response to a particular packet may d^«d on previous packets 
input as weU as nie «srtgsated one. Thare may be an arbitrary finite delay 
between the time a module receives a padket aiid Ihe time the module 
generates and sends out Iti respo&se to that packet The fact that packet 
modules and systems must be able to ttderate Such delays is an essential 
consequence of the^ asynchronous operation. 

Thwe is a spMlal ^roto«>l that must be fulfilled in packet systems 
for the transmission and rec^pt of pukeU throui^ the various modules and 
channels. Suppose a channel C (»nnecu module Ml to module M2. as 
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illustrated here: 
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Figure 2.2-2: A channel In a packet eystem. 

It is de^jrable for module Ml to hare some way 6f kaowing when it has 
•uccessittHy sent ari^adiet out on cJitanitt CI thM dSi^telidn that has been 
adopted is that Wh»a a packet swit on C trojit Wf til Irideived by module M2, 
M2 wai send a ^n^ to Mt ba tthinnelCiii -ti^e i^^wrse dirw to indicate 
that it now has th9 packet s^Wy in hand. Suirh'a si^al is known as an 
aclcnowiedge 9igB^. It if not ^nta Ml ,iee^vj»,«biaiaua^^ signal for a 
particulM packet, that it kiM»w8 it if 4«a# wtth|ilhei|^EWBeat c^^wierattafi and 
sending th?t packftt. Thus, f ronjt^the p^iai -of .mi^w^ «f moAx^ Ml . «her# are 
^re^ «l^re|^ s*^ ^ the tKi^smisfifi».eC avJWck^tesipneE^ 
receipt of acknpwl^dygment. I| sh<?uld , J)# ,»#ed that; modul* htt cannot 
generate output to packets it receiyes, f^pi8q<^<^iiMBl 0,;^^ has sent back 

on C an acknowledge signal for those packets. There is a caveat with regard 
to acknowledge signalsi although they are sent in refponse to every packet 
transmission in a packet system, we regard them as pa^t of the hardware and 
not available to be manipulated by system designers. 

The channels in a packet system are ^fsupved to have certMn spet^al 
characteristics as transnal«ipn media. The arsk «s* ^miSim, M that?,^ ttme 
a packet is sent out on a channal, it wilL^i^witiii^i^ receive* at ^e «ther 
end. A packet generated to be Mnt out from some module in a packet system 



--■ ■■■■ fi^MT- -■ ->^; '■- ■ 
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can Mver te cnliaii haOx.. '^is mmas tliat iw^mmmr a jBtnluls .#nMr«t«ts m 
packet to be eent oott, It JwUl ^Moeive ^ .mkaamm^ 4«|gBal ^fiar :Um packet 
within aosM fiiUte apan of ttee. It ia asmaiad tiuu i^ ^tta&nels sftver 
"break" and that acsiBbiprliil^ aiga^ Meeiweii by the 

appropriate modulw. Eatluze of inedMitiai. for the magotm of itwxiflQattasi, 
invalidates the «ittse 49»t«ii fusctbm. Hw ,teffiti itf JuUt Joka»Qfie in 
systems are )tmmA 4he mtm 4<g UM* ffiMfHxto. ^iiii« jiiawt »a— amin4ri»inn 
architecture ti|p;iipii ^ e»^ ,,pj»ahpt.^,^m,p^n|^,.i|y^ ^— dUftiSlfr must 
actually be a«it ^% ^uO. »|fl||tfwirlertilri -^^f^mi^-m^ mm» Mam iH^wli. It 
should be .noted >%h«t ^ '-i^amiiiimmim ^^m -imi^^ ..aiflMr 

than perfonaaacf > befiaape.faclwt ig ^it i yt^ p j ^ g 



.4 3wciiet:^en^'aM«^#«t^i^«iteittiAi/^1li«l'i^ vsent 

:out..0]i ;tbmi^aBirt^«t''«Bteei»»iiiiiM^'^iii^^-^^^ ydttiHe'lMS 

'tk«t .pa^keAf j«itt .on C^- -lilto^lir ^«Kii|r'>^''^<tiil«i'i«l&'^pl!^|pi^ a* 

'Chanik^:m«y'iianinite'^pi»HililPpM(9iiir^ '''''' 

A tl^Ti dutraeteriatic ol channels is that tikey act as FIFO queues, 
which means rthot if the nuxlule Ml taK/vm^amAs a pactket x otit con channel -C 
and then sends MSBoSm ^pat^t y enit -on C at a latair time, tliea MZ mi:at 
receive and ackmiwta^ « bi^e» y. KM i&iiw iQw fnstlnr anuii^ption that 
the ^chanMils mtm'^k^mmmm. %amsi^ imm^, ^^^^^M'Mmu''^m mexm is 
3ko Uniti0.?tiw-saMtiir^^ta^l^^M 
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Physically speaking, this assumption is not realizabl* in <«neral, because no 
real device can have infinite capacity, let alone a high-speed transmission 
medium. However, if we assume the unbounded buffering, then we rule out 
the possibility of system deadlock caused by pMketa piling up in certain 
channels and Inhibiting further packet output into those channels. Unbounded 
buffering is therefore a convenient assumption to make. 

Finally, we shall assume that for each channel in a packet system 
there is a designated set (type) of packets that may be passed on the channel. 
For example, one channel may carry only integer packets, while another 
channel may accept only packets that consist of an ei|iploy<Mi, name together 
with a corresponding identification number. 

There is an extremely important pioperty «f packet systems which 
we will be treating, namely Jio|i4e?ifm4iwoy^ A mo4ul» or ^^em is said to 
be nondeterminate if lu semmlJqs aliew two or more diftlact posMble 
responses to a given packet input. A simple example of a nondeterminate 
module is one that models the toss of a coin. It has one input channel and 
one output channel, and its response to any socket »i!ceiv9§ will be a single 
packet with either the value "heads" or the value ';uils." The choice is 
arbitrary and independent of the Miput packet. I^oI^|ttezmin•te modules and 
systems are very difficult tp work with becaiiset|^ multipliBity ^ possible 
results is cumbersome to model matl|ematl»Uy. We wUl expl^tly allow for 
nondeterminate modules and systems la Qurtj^atment. 

A certain ckM of nondeterminate system tehavidr will be of 
particular interest becaiue U aziaes friquratly i& the dMl^ of packet systems. 
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This kind of behaviear coiu^rns the ]ielatii« naeku ^ puek0U amA out tm « 
channel. OcmsiiiUa m m^^^sl in which the taik of ^i^maaS^ msA mjskAing mit 
packets in response to inputs taken from a specific i^iaan«l is relatively 
complicated or time^consumia^. One would natural](y wish to allow the 
processing of distinct inputs to proceed ctmcunently if jossiliile. But then it 
may turn out that ri^ponses to a recent input will Im rea^y to he «knt oiiU 
before responses to inputs receivwi earli«:. Moisover, it cmiuit be determined 
In advance whether or not such "cutting ^ead" bt^^ksvkac will actually occur. 
It is possible to impose a synchronization discipline th^ will force the outputs 
into a desired order, but in doiio^ so all the adv«Btai«8 cdT asynchronous 
processing of different inputs are lost. Thus, if the system «a>plication and 
design can tolerate "cutting ahead," it is wise to aUow it. In jraend, th«i, 
providing for amdetoainate behawlor 4fe«t Miraliflw/i^««nt elternat^^^ 
orderings of ^^^esated output p^kets moiM often ia practice become an 
attractive des^ gdal fku: packet ccm»iiaii6iti^ei^kile^ttf^ 

2.3. Corr«otoMa 

The notion of coirectness for paiSkxt igrsteins be»:s a dose 
relatioa^ip to the -weys 1^ ^^mm of a^r$iim sttikeiutiMi *sA composition are 
treated wttMn nk« l^aiework <rf pjdtet doinaMmtcirtion aathttecture. At a 
very iMuitive level, a ^system is correct if it iatlsfies certain conditions laid 
out for it in edvance. For packet systems, these amdJtions take the form of 
behavioral specifications. As we mentibiied la the ^»c«ling chapt^, a packet 
system's behavior is o*»erv»fc4e tqr the wa^r u rewowte to Ite inputs. More 
precisely, the beiwviwr is a J»la|i<m^ip betwiwi iB»tttf XMi^R«d ^ad ^tputs 
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generated in response to those inputs. A packet sjrsteil, Uierefore, is correct if 
this r«latio& satisfies a given set of spacifidtiiBii. ¥h« nitlin of such 
specifications will be discussed in detail in subsequent sections. 

It is important to note that one cannot prov correctness of a system 
without some knowledge trf" its totwmai %»ortiingi - It a~^stem is viewed as a 
"black box" (figure 2.3-1). 
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Figure 2.3-1: "BU^ bOK" ifle^f of * pa^ls*^ *y«^«. 

then the only things that can be seen ar« packets entwring and leaving. There 
is simply J^ot e9#i^ jta£prm«|iQa «vi4)^^ or not a 

<fy<tom is b^a^ng,^r«ctl|r. $incf s|p!i]^ W^f^ Wf0^^^^y ^^ ^^^ 
arhltrary fi9^te deia^. one cannot tell i| «|di^p<a output packets are 
forthcomtx»g. For exaiii^le, suppotte a fi-stap, h«i i^UrpAy s«nt out all the 
pack#s it should traiMni4t in im|poi|i» Jp JO^ j«ctiQ|^ |^?V^^' '^^ module 
only ai^fwars to ^ ]i^hJkVixM{ conref^lyr fiace th«r«^i|i |lo .guarantee that an 
invalid packet wi}l be unexpcictadly sen), out Ut^. . £v4in if this were 
dfteimloable, obwfva^oa aloan cou]|4 nt^nrnifflcftJ^, decide whether the 
system would respond correctly in all situations. The only way to tie down 
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aameamn for « jiBlia^« pi^Mt iQqMiB, Uiastfiam, Is to am^ 



r 

1 
1 

w I 

1 




A 




P 




* 


— 1 

t . 
1 

1 


r 


1 










V 

1 
t 




1 


^^ 




/ 




1 
1 
1 

X ! 

1 




>v 


\ / 


/. 


• 
1 
1 


z 


c 


1 


SYJ 






1 

» 
1 
1 
1 
} 




1 

1 
I. 


S 













Fisure 2.3-2; Int^iwl vImi of tb« som packot systom. 

If we view the sfM/^ as b^i^( realized iM t&raa of iU eamwomma.% aodules, 
then the fc^lowiag fonAoMiital Q^reetaeM >ctBie^Nio t w gttW'M o^i^dKE^ 



A pucJKM sytt»m is correct it iu given stnectizrai 
ximemsn^mMimi MiMs^m m9 mitmixfrn^^m^^Mmam tor 
tlM sytfm mhrnuvmr Um oooypoaejtt jnsctales ta^^ty 
th0tr cma rm*pmettn hmhmriofti tfteUiott to a s . 

The notion of a iyston*i ^noiapo^i^ •i^'yti^ « «t «r ^oc^eattoiis \m M>t 
yet form^ly 4t«ft&edt It will %• tiviteS if^rtail iM-€kmfim^ t%» me^li of 
a module satisfying livMmcations is Ami^f tbjA of a TjUxfi^e^ devtee acting as 
intended. The abov* ^rraetness ^isci^ 4eflnii «iSr a iirtativa aatttre of 
system correctness. An c^fVions «isKtio& 13ssA srisMi ft )iow to osta^li^ the 
correctness tS tlM modules ta onler to iHteom Xtm wfwma. ooczect. Wis alnwdy 
have the ansWi»r to this iiuestfttmi Just as witlx ^e i^s«n& iW^, «x»reetMss 
of the component modules can te estattUsSu^ imly M ^Mran t€ i^iatt own 
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respective internal structures. 

A. significant ramification of tl^ appioac^ is it^a packet systems 
and modules ar« re^iy two attfgmM yima of^Msant m^Bii a miidule is 
revealed to be 4^ sy^ieni when asm evamiiiefr its ifttenial structui«, and 
i^norinA the o^mBosilion of a packet ijrBtwa is^iie^the>i^ it 

as a i^ujdule. There is an undee^ag souKe f«r ^itK osaeeptual unity, M^iich 
is th#t p^Kat co n Ma m ai c atiCBi «chite<aagi suiiivtM -f h# littiiwiltiGal s«ructarli^ 
and compositifHi of ^fstemi. , BKkrtt s|(iste«» ^«aa (attt iaii»i^> he designed so 
that there are distinct and well«structured levels* of ^IHowngasition.^Mih level 
consisting of systems built up from simpler modules. In this sense, our 
fundamental correctness principle for packet systems supports a top-down 
yerific^tion niethodolfl^ in which conectiiMf i«»ofiiiir» bp>k«n down level 
by l^vel into ^heir natural lo|^ aiMi;C|Pi«9t))ali-f9iiitUtUfints. Logically 
distinct line? of arftxn^eat are isolated sQj^a^lMy fMiuit iatecfwe with aam 
another. Thus the notion of modulpiimd^l^ system structure is 

carried through in the approaches we take to correctness and verification. 

It may ^m for a monuot that there is a polsntial infilsite regress 
in working^ with smaller and ssmU^ modvlis within sodu^. but this can 
never arise. Therf}4« always a w«U<Hie|^ed bfMlMn |«vel«to tlM hierarchy in 
which the modules 4re^ j^igarded. es implei»«tjitg uls^im oppi^iotts suc^ «s 
adding and gating. At this ^nt, ce;?eMnnesi has been itAuced to the wsay the 
primitive functions are defined. 

Our approach to correctness and verification of packet systems 
aUows a system to be viewed is two diff eiiint %ayst liuerAaliy, in terms of 
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its structural composition from modulas, imd mOurmlly, W concoalijifi the 
internal working. Tha idea of distincuishinc balWMa tat«rnal «id external 
views of systems is cloaaljr reload te^ tlM aotl^ oT 4ata cbstracUons in 
progr^nmiag km^aiw [Uaiunr a&d SS^w, 1«743. lU w §mm me in 
Chapter 3. it is t^ly strai^stfonKaKd to omi^nact IMiulvtKrd syiciflcations 
for a packet syist«n viewed extMaaliy. aofirMmr« to ^nlHr to esti^iia^ 
correctness of a sysimi, mw need to ^osr l^Kt tlie extar&tf chtfaitler 
agrees with the 0^imi'& s%xwctam. U is m dtiBdci^ «Mfc t» formHi^ describe 
the behavior of a (yrstfjn in teiaw of iiK :^itemat^«ii9dtitiaii. We sl^^ 
address this task in C^luygHter 4. 

2.4. Structtiral deecriptioas 

The oaXy meai^ we l^nre uied siiir to deectl^ the structure of 
packet ^sterns is ^tOtt£h lAflfBitf'l^iMSL i^jp^im^. IT any j^er^ assertions 
are to be mad« tovolv^ ^^em ooa^Mtttkoii we wflJtHiMiiid m more predse 
vehicle for stimiftttr^ «eMSii«iiu.€tiak«^^ Mtrot^bed in this 

section. 

The stimAwm of a yieket syvtMa^ mar l» lioiiaed in very 
straightforward faiaaaii bf a Mteeted jp^^k^ in wia^h ikcAm represehting 
modules ^?e OMoec^ed 1^ M^^>eeled «ai r«gHM9i;^^ d&sttnils^' Figure zM-f 
shows a san^ite packet ey^im ^ii^e^ir mmi'^QM^k^ieiiei'icajft'^i&xi tiaodeli it. 
Note that the (Uiec^aft gra^ has «i^«xfi^ i^ %". This gives 

explicit representation to the system's "outside worldr' iw^ch ierVes as both 
the source of system input i&annel X a:w^ i^t«x$i»t^ mii^(^ channel 

Y. The graph may look like Just another ^liapd AxmOsg of tiM ^stera. but 
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Figure 2.4-1: A packet systwnlnd Its dtricted graph. 



It i«: a mathematics ob^V of sPSBcific clMMracteri5^C|«,,^^^^^J^^^ speaking, a 

ait ^-c ted graph is an ordered pair of the form <N, A) in which N is the set of 
its nodes and A is the set of its arcs. Each , arc in A is an ordered triple 
containing a source node, an arc n*ft# anda ta^fnode. An arc aeA has the 
form (a. source, a.nani, a. target). For ««m»jj^; llxe 4paph in figure 2.4-1 is 
the ordered pair 

<(#.0,E,F}, {(*,X,D), (D,P,E), (^>^F), (F,RrD), (E,Y,*))>. 
It is easy to see that for each node n in the directed graph we can define the 
sets of arcs leading lifiLto adS. out of n. Thise i*tl 09 ^ven \iy 

Inputstn) » (afeA: a.t*rget ■ n} and bdtpsftitn) * l*^*^ a ; source « n). 
The directed ^ifa^characteriatiofa thW miOi«nlii*Mny specifies how the 
modules in a system are interconnected. 

There" are two addttldiial pro^rtles of jacket ^y^ems that can be 
Incorporated Inttr our fonnal Structural deiicfii?ilS^s; if^fst;*^ can model the 
packet tjrpe restrictions for the channels by associating a type description with 
each channel. Second, we can specify packets initially present on the 
Channels with an initial packet sequence for each channel. Both properties 
are handled easily in the directed graph model by adding extra fields to the 
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arcs. 



The mb&w inath«Biatical model fiar -paeieatt itymmm. stnxetinre may be 
sugared into a striu:tural 4«»»iplioa te&pcifi. T^ tmcstipOam. lan^uags we 
use here Is ]>atlemed after the stinictuxal poztiasi ef ASL as preseat^ in 
[Leung, 1977]. For the syistem we have heaa 4t«c««atii^ in tkles aedicm, if vra 
assume that all dhaHJUto carry only ^s^lipr vato»4 ^pteHui^ and that there is 
one packet with vali;M zwo inidi^ -sa^mcA on ir h am nel % theaEi I3w formal 
description of its atmetgre iMgr lie a«g^iiill1e<t «»1iBitoi«fe 



System SYS 

inputs X(inteoer) 

tilft|tti«s Y( tffteiar) 

iftternala P{ tai^)^ j^4ii«^eri , H inf^r ) 

B Inputs X, K; iH«tpi:U P 
€ imiuts P; outprts Q, Y 
F tnfHits Q; ei^Mits R 
Initially fk«> 



\Miile descriptions of this form do man explicitly mmt» the mmmm imd target 
modules for ^ch <^M»a^ these are iway eaiiily <i^*WfBiJpi4 i*^ internal 

channel in the sys^an must tm^mt eieact^ cm^ Jft a anlfptt^ia^ input Itet and 
exactly once in a submodule output list. 

This sect&m has pr«s«nt«i structural ns^dHcatii^ for packet 
systems. The next :«w%> eami^ts jframX a nipiei foar J)«ap«i^fiffal apncificaUpns. 
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CHAPTER 3i SPECIFICATIONS FOR PACKET MODULES 

3.1. The sUc« relation approaqh 

Because of the way a packet system is built up from component 
modules, the behavior of a system wlU be a 3^a»itiafi «f its structute aad the 
behavior of the modules in it. la th|9 ^hiyiir wfjalMU develop a method for 
formally specifying the beha^rtor erf fmim m^*^*^ M^citliem&ta deftaed by 
this method vyrlll be called «xtai-A«i^p«ctf|«itioii« because th^ describe the 
behavior of iwlwt modi^es yrt^ul <:«wld«4a«^^^ t^ isttraal tstractural 
composition. 

A p«ek«t module has a fixed &Mb«ir of input channels on which it 
receives packed to be processed, Mid theH ai* a ^ifed number of output 
channels on which it sends out j^adcets in respoayii tb the inputs it has 
received. A forn^ behavioral 9«etfieatl<m for a niodule must be able to 
rigoflrously det«miia# fi^ each input exactly what il a valid output response. 
Because pack»t ^rstems are in jeaerai adadetehaiaate, the poteatial 
multiplicity of valid output responses rules dttt a dli^ functional mapping. 
Instead, w» shall si^i^ wcteraal ^^edif icatioas f or' a rilM M in the form of 
a reiatioji EXTy that formally relate Inputs to the semaatically valid 
corresp<mdia£ outputs. Such a relatioa wiU bi^ cailed an axternal 
characteristic reiatip^ for the module M* 

The most obvious approach is to xtse a relation from input packets to 
output packets, but this does not suffice la evexi the siniplest 'casei consider a 
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module ID that "does nothtag," tiiat is, Mods oat Jts ^^pax w^dkms uatmiched. 



ID 



Y 
> 



F iQure 3.1-1: The t^fttlty wmdu l« ©. 

The identity relation £XT© aa podcets denaed iQr the iq^tloa 

(#vq) € BCfgj ^iiid Wly If p i! t| 
does aot coiin>l^tly dMcrtte ia» *el»<*ir iff 11» «>^^ ©. If ID Mceivw as 
input a paclMt with waiue 1 followed ^ a wm^m -muh valme 2, tbn« are 
two differeat possilite jesponns! 03 can a«id out ^^^ t fd^swad tiy the 2, or 
it can send out the 2 first mi. the 1 later. Thus a ^ecificatlon for the 
module must describe the aegueacij^^^of ^«aB8ti.4a 9!rtm to mBtm»my capture 
its behavior. For example, if we iatead for the a|odiile:iiD «o^ce3«r<ve ^le 
relative order of the packets it receives, then ito Miai^er ivmatd te mgmctky 
specified by the identity relation |Xr« tfli^ ami Q»mmmi&&r mtiamm&* of 
packets rather than individual padtets. .Such .segiiMiees «» refutowd 4n 
general to describe the bBhavter of a aiodule wh^ it 44^psds m mmsmarr *f 
previous packets received in order to decide how to^^o^dslo a utflnwn ipai^wt. 
We therefore need to develop some mathfisiiticia wprhiiiieo- f<ir SMBlpu^ti^ 
sequences of packets. We wiU u» the term^^^taa t© denote a seqiwace of 
packets. The mathematics of streama will be ^lirpffttil in tto aext see^&m. 

In general, the behavior of a module is spectfled by a hiaary 
relation that relates presented iapuu to valid output ^ra^eases. For the 
module ID, we see that presmited input may be corra^lir awd^ed W « ^tmaa. 
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of packets passed on the input channel X. For a module with an arbitrary 
number of input channels, in order to model presented input we need a 
separate packet stream for each input cfiannel. We therefore define an input 
slice for a modult M to be a collection of streams, one for each input channel 
of M. Similarly, an outpitf siice has as its components one stream for each 
output channel. Thus the formal specifications for a module M will consist 
of a binary relation b«tween input slices and output slices. This relation is 
called the characteristic relation for M. We reserve the notation EXTm from 
now on to denote the characteristic relation for a module M. The slice 
relation approach to module specifications is not original, and a corresponding 
definition may be found in [Dennis, 19724^-7 

As an example, an input slice for the module J shown below^ is a 
pair (l^v) in which u and v are packet streams for channels U and V, 
respectivelyt an output slice for J has the form (Z), where z is a packet 
stream over Z. 



u 


J 


z 


V 











Thus the characteristic relation B(Tj for J will have elftmenis of the form 
((U.V). (z)). 

Slices distinguish the time ordering between packets passed on each 
individual channttl but sot btflwees pacla«» tJh dtlfitMit channels. It may 
seem that «rucial behavioral informatten is lost ^ not imposing a total 
ordering on all packet transmissions into and out of a module, but this turns 
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out not to be tho cmw. If a jacket pi is mat Q«t m * f^maoA CI iM sos&e 
packet system befote |«cket i»2 is m&t out wl Tl i#iiiMrl £2, tJMfe is no 
guarantee that pi ivlll arrive .Oiead erf p2 ia m^r m«:« to tiwiy rfsi>^ptive 
destinations. This is becsose «a^mctezi»t^its pw^Gft ^i^i^stmiis ia^ie^ ito 
constraints on traasx&Jjuioa times a^tm^ g^^giw^ff^ a^emrts^ tot deferent 
channels with diff^^^nt charMrtwristics suited to tbate mKa4s. l%us, th« extca 
information obtained from inttosi^iwNii jv^wt <Hrto^^ Is tvkdmiaA liW^l^m Toy 
the properties of channels ia a packet camm^mikeKi^Ea. sjfstemu !!» use of 
slices in our model, then, previiUs axacQy th« iafeaauitflii iMcgdcd for pix^w 
behavioral specificaticyas. 

3.2. Streams aoid tli^: oiimri^^om 

In this section the b^c ^fiatltons, ^pwsstitms aad mathematical 
properties of streams »a laid out ia detalL Bwmtit iBt i^ tadu^c^ nMmm of 
the material, an ia^tx to ^e mrti^ioas cad tat*>-|^«^i t^aat is im»^i^Kl ^ aa 
Appendix. 

For any arbitr«y packet module^, vn take ai ^v»a for each Oi its 
input and output ch«inels a wriinfefiae* qpai» (Mt) ^ pacl^ values that 
may be pass^ ^oaK that chaaaeL The spac% whk& we c^l a dammd space 
for the (^aaael,. iM idMO^iad «^th mi» m»aam ml ^Km '^m Mmea aaaie. 
Similarly, eleaurats oi a chaaael ^pwa az« iAi^t^ied with imrlreti . jBiriwt W 
the channel. 

We wiU d«fla« a «tra»a to be a .aafaaiMe M HKdwta paoaAi m. « 
particuW channel. ladAviduM pack^s ia a stHwai X w^ M-.^mnmA m, W 
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expressions of the form z[1]. A stream z will be denoted by an expression of 
the form <z[l], zC 2 ],...). Streams may be finite or (counubly) infinite. 
The size of a stream z, written #z, is the number of packets in it. Two 
streams are equal if they have the same size and corresponding packets in 
them are equal. This means that a stream is luiiquely determined by its size 
and by its elements and their ordering. The space of streams for a channel Z 
is denoted 1^ 1". jTorntiaiy, we havet 

Defi^itip^i A set S of natural numbers is said to be an initial segmeat of 
the natural numbers iff for any 1 e S, J ^ 1 implies J e S. 

Definition: A atream over a space Z is a function mapping some initial 
segment of the natural numb«rs into Z^ 1^ space of all streams over Z is 
denoted by Z*. 

Definition: The em^y stream over a spaee Z, denoted by e or by 0. is the 
unique stream over Z having empty domain and no elements. 

Definit^mii If i is in the doinain of a s»ia» ZriPk define the i-th element 
of z, denoted zCi], to be the image of i under z. 

Observe that z[i] is undefined if i is not in the domii|ijif z, and that if z[1] 
is defined then z[J] is defined for aU J ^ i. 

Definition: For any stream z. the site of z, denoted n, is the number of 
elements in the domain of z. If the domain of Z is infinite, then we say 

'#Z ■ w. ' 

Note that 2C1] is defined if and only if 1 ^ i < #z. In particular, ztl] is 
defined for all natural numbers if and oidy if iz ■ «. 

Definitiottt Two streams z and z* are Said 1^ be e^siT, ^written z - z\ iff 
#z » #2' and z[1] ■ z:X13 for aUl ^ iz. 
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natural numbar whoM sl^Jiiatie pn>p«rti«f am di^iJMd ia ui ofeevimui nuauMr, 
such as t ^ « and « -f 1 » « fi» ^ n^uzii nualms i. Tha V9lv» •» m^iy 
or may not tm coiuitad ki tba lan^ <tf lattti^ amaybar <iu«Lt;UrtjWS;^ ^lis 
depends on oontuct. Bacwiaa tM ctsaams an cooaUM^ aa aaq^aarion «acb as 
zC«>] has ao maaaia^, awi wl»m z is w iaiyi^^ <^^e*m>>^ 

An import^t nda^ion ovwr. stz)|ps||t ls^;tibfip||eMi. wH^fji. j:, .impugn •Z 
is a prefix of suaam z' wh«i«v«r z "oeencT aft t&a ta^saiag of r, as i^iown 



z 





's- 



'^^r 



occurring aft«f ^a pitftjE z. ' /'' ^*'''''' '" ' 

For any" st)r^ai& Z, \ii« ulta ^a i^eeiti oob^^ j^ktiil to danota the 
segment of z consistintf of tha Jc-th thzouj^ JB-tii tfraiants ^ z in order. 
zlkii^i is a #tr«bn <3^ aJia''»>k<t>I, aid' W siSow lia''9adMt'-'easa'^<^'lik''^^iiQ^ 
Stream when m ■ •o. if k > m, then ZCk:*] ia the eaiitir atrwon. As a. s9«gA«1 
case, whenever k ^ Ht, zCI:lt] is the ux^i^» wt^tUt at z of Vfn^th if. T}^|s 
means that z£l:k3[t] • JitJ «^ aagh,^ l^Jl,? - ;- ,, 

Given. .«treain&z,,.,anA: Zfc.^jHW ca%. toqn ?^|iiis.:,.-f>inqatisnatioifc . it . » 3%, 
which is a stream cen^sting ol the v&cikds' iM%^6&atm£ ly-M^ pacdlats la 
Z2. The foarmal dsefialtioaa now followt 



- 47 - 

Definition : Given two streams z, z' over the space Z, we say z is a prefix of 
r, denoted z PREFIX z', if and only if 

(1) #z < #z' and 

(2) 1 ^ #z => z'[i] » Z[1]. 

Definition : For any stream z, if k ^ m ^ #z, then zCk:ra] is the unique 
stream of size m-k-fl such that Z[k:ffl][1] » zCk-t-l-l] for each i in its domain. 

Definition : Given streams z and Z' for which z PREFIX z', we define the 
difference 2' - z by z' - z = z'[l+#z:#z']. 

Definition : For any two streams z, and Z2 over the same space Z, their 
concatenation Z] @ Zj is the unique stream z of size #Z| + #Z2 satisfying 
z[1] = (if 1 ^ #z, then z,[1] eise ZjCI-iz,]), 

There are two stream operations we will use which count and find 
particular packets in a stream: count(p,z) is the number of packets in Z 
equal to packet p, and 1ndex(p,z,J} is the position in Z of the J-ih. occurrence 
of packet p. They are defined by: 

Definition : count(p,z) » card{i ^ #z: z[i] » p}. 

Definition : 1ndex(p,z,j) = (if 31 <, #Zi z[13 ■ p & count(p[l:1-l],Z) « j-1 

then 1 else undefined). 

This is w^ell-defined since if such i exists, then it is uniquely determined. 

Two more important relations over streams are the subsequence and 
merge relations. A stream Zj is a subsequence of stream Z2 if the elements of 
Z] occur in the same relative order within Z2. They do not have to occur 
contiguously. A stream z is a merge of streams Z) and Zj if and only if Z| 
and Z2 occur in Z as disjoint subsequences and together exhaust z. All merges 
of Z] and Z2 are of length #Zt •»■ #Z2. The formal definitions are: 
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Definitlom Oivm tmm mmmM Z| oA Zg ovwr tl» agneft Z, vm Mar Z| ia a 
subsequence of Z|, d«M»t«d Z] SIMStQ Zx, If ud raly if titora cOEtatt A fU&((^<»ll 
f that map* the AamaiA oi Z| isto the doiaaiii of s^^d^ t^ 

ri; ki < kj «> f(k,) < f(ka) aad 

f 2; for each k ^ ife,, Z,Ck] ■ ZjCf (k)]. 

A function f aatisfylag pe^artiat (t) a&d (2> wUl %» caUail aa .^aad^i^i. 
Any subset S ot Uie damto of a stxem z itfitea a uadfifiie n^MaifUWUBe oT z 
which is f<u3Md. tAmtH^ ^ anaoilBi tJ»^ape|^ oC z Ji^A^^ lOF. & ia 
increasing coder. 

i^^ijnifatoa : QivKa three idxa^ns 2, Z|r z^ Q!m a. mmtmiMi, ^^gaajt Z> iwe aaar X ia 
a merd^ o^ 3l| and.^ it a^ caly if ^ dfiurtft qf„ Z jaa^ \|a , pB?iaiii«i i ft . iAto 
two disjoint subpet% osa 4ii{|ii^ Zi « a aiiliiapWMft oC^^z and th* other 
defining Zj as a sulMfUffiBfie (tf Z. 

This amdudes the prestttaUon of the fUBdaauetals of ^reuns. 

In this sactioa w* «diiUt ansa tinmimast pm^saA moi t uV m with 
their specif icatioas. The first uedttle tei daseite ir tte ifeSiigHiit»:a i ii lli(ili' -- It 
(fl^re aS-U. 





— 1 






R 



Input slices for D beiong to S" (streams wme S) »d eutpat ^i^es belong to 
R* X Y* (pairs of strenns ov«r R and Y, re^peetividjr). This i^vea us the qpAce 
for the characteristic relation EXTq s ((S*) x (R' x Y«}X Within a packet 
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system, module D has the general function of distributing- packets through the 
system to places where th^ need to be xmtted. There are no restrictions on 
the type of packets that may be pa«ed through 0. T^e biha^^or Of module D 
is to pass unchanged copies of input packets frma S iato bofh output channels 
Y and R. The response of to an input stream 8 is the generation of two 
output streams r and y identical to «. As With all the modules we describe 
here, this works for infinite streams as well as finite streams. Thus the 
behavior of is defined by 

((•), (r,y)) e EXTq <■> r ■ y ■ s. 
We give a couple of examples of the behavior of 0, showing input streams t 
together with valid responses r and ys 

9 ■ <8,l,6,4>, r ■ <8,1,6,4>, y » <8, 1,6,4); 

« » <1,2,3, ...), r ■ a,2,3, ...>, y ■ <l,2,S, ...>. 

The negation module N (figure 3.3-2) processes boolean-valued 
packets, sending out for each input value b a packet whose value is the 
logical negation n(Mt(t>}. 



* N 



Y 

> 



Figure 3.3-2: The negation module N. 

An output stream y will be a terniwise negation of the corresponding input 
stream x. Formally, EXT^ s ((X») x (Y»)) and 

((X), (y)) € D<Tn <«> #y « #x and y[l] ■ not(x[l]) VI ^ #y. 
An example of the behavior of Qiodule H isi 
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X « <tru8,fals«,tru»,tri*«,f»Tse>, y ■ <faVst,trw«»f»l»»»f«J»»»tru«>. 

in corresFQii4ia§ pofldtiqpiji tn feti? topift^artarpanii x i«rik r, #ite tilt ^aiis Kid 



Figure 3.3-3: Ti)« a<ld«* Mo<t9T« ilW 

If one input stream is loader thw thf other, tlie extra packets ataorbed from 

the longer input stream «e not reflected la the mttyut z^pmise. This is 

specified by EXT^ c ((X« x R») x (S")) and 

((x,r), (•)) € EXT^ <■> #t • m|*C#x, #r) fa* aC^ « xtU ♦ rftl V* i #»• 

As examples, we havei 

x - <8,l,-6>, r ■ <3,-5,6>, • ■ <ll,-4,0); 

X ■ <4,-f,8,-rf), r. 0,» « < >; 

X ■ <1,3,5,...,21-1,...), r ■ <2,4,6,...,21,...>, • ■ {h^il^i.,,,m*l, . .i). 

A subtly more complicated module is the ewamltiiv &dd«r module 
C (figure 3.3-4) for which each paektt |e&«r«ted for output on Y is the sum 
of all pacliets received oa X so far. 



Figure 3.3-4: The cumulative adder ma^U C. 



We specify the behavior by EXTc S ((X*) x ff*)) iM 
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((X), (y)) e EXtc <■> #y ■ #x and y[l] • ^^ x£j] Vi ^ #y. 

As examples of the action of C, we have: 
X ■ (4,2,-1,0,-6,3), y ■ <4,6,5,5,-l,2>; 

X ■ < >,y ■ < >, 

X ■ <1,3, S,7,... ,21-1,.. .), y ■ (1,4,9,16,. ..,t*,...). 

One of the modules we will be discussing later on is the feedback 
modified first module F (figure 3.3-5), which handles integer packets. 



Y 

* 



Flflure 3.3-5: The feedb^tOi^ii^lflec^ first woduU F. 

PacKets input from U are copied directly onto output channel Y. In addition, 
the value of the first packet input from U (if there is any) is suitably 
modified and the resiilting value is output as a packet on V. For the purposes 
of this example, we shall say that the first ^pfBfcft value is modified by 
adding the number four to it. t%e feiitiivlor of F is specified by 
EXTp s ((U-) X (V« X Y«)) and 

((u). (v»y)) € EXJf <«> y ■ u and #v • m«i^l,#u).«nd vCi] - yCi]*4 VI 1 #v. 
As examples, we hayes 

u ■ €, V ■ €, y ■ € (empty streams)i 
u - (1,2,3>, V - <5>, y - (1,2,3). 

A module with an interesting logical function is the true ^te T 
(figure 3.3-6), which pairs up integer data inputs from ciiannel X with 
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boolean control isButi. fiom chaaiwl C If t|t» gcauaiei, ^0u^ valu» is ^ut. 
the correspendiait d«t# Input fiom X is passed, oitt^^ cat Z. ffi ^tm control aii^tai 
is false, the data packet is discarded. Thus the contisd sAm»k streain C mter* 
out specified el«a«iis of tlu data s^mon H. 6 mu^ oicz}^ IpB^^iivk ||lK^tt» 

and X and 2 m^ passipKli^^ of mw:^m»m fiPQi « tiwii^i^e* 



C pJL-, 
— » T 

Z 



The behaviiwr of T is Adeemed l^E3lrV si ti^ 

{(xfi), (X)) c EXTt <•> tz « PiBunUtru^cCUjlKj) 

and zCl] * >(Cimteit<tru«ie,ll] ¥i ^ #&. 
As examples, we havet 

X ■ n,i, 3,4,5), c « <true, false, true, true, false), 2 » <X.3»4)| 

X • <6»7>, c ■ <f»l%e»ti«w»i»trl»>, x * {7fi 

X ■ <ft,9,.lo,U), c * {fitlm,m$,tm0, z •! <ft»W)i. 

The ^ov« SMdules an ail d^KemJbn«i; sia^ ^ aajr imeut dlkce 

there ts eva^jr oa^ im^^mat^'m^'eiimtii^m i^ vdti la^^^ Th)i^ 
behavior is therefore funetkmaL Our ^p^iftartiem ti^liEttQae magr be a^v^Jbsd 
to nondeterrainate ntodtUes as well, as vhf laiavt^Si^iMfi'' ' 

The ttondaiwmiaata margg nwdiUe i (1^ 3^3-7) snsii oat a^ th* 
packets it receivn from input chanaeis U aod V OBle em^mst e&aaotel Z. ThA 
relative cn^lfoing of pai^idls <m each oi U «d V is mMiinrafl, Dut tiai paiG^tMte 
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comings from these two channels are arbitrarily Interleaved on output. There 
is no restriction on the type of paduts Uiat as^ be pwsed ^hrou^h J. 



1 

► 



Figure 3.3-7: The Jiondeternln&te jserge module J. 

We may specify the behavior of J by DfTj g ((U« x V») x (Z«)) and 

((u,v), (z)) € EXtj <■> z is a mer^e of u and v, 
where the notion of a sdierge of two streams was defined in the previous 
section to be a stream containing the two givmi streams as disjoint 
sUbse<(ueiices. The size of an output stream Z will always be the sum of the 
sl2»s of the corresponding input streams u and v. 

As an example of the behavior of J, if it is given as inputs the two 
streams u ■ <1,2> and v ■ <3,4>, then there are six possible valid output 
responses: <1,2,3,4), <1,3,2,4>, <1,3,4,2>, <3,1,2,4>, <3,1,4,Z> and <3. 4, 1,2). 
The output response (1,4,2,3), however, is not vaUd, since the relative 
ordering of 3 before 4 in the input stream v has not been preserved on 
output. 

In practice, a wide variety of nondeterzq^ate behavior can be 
realized by constructing systems formed by interconnecting various determinate 
modules with instances of the module J. In this jmise, the nondetermlnate 
merge module J is often viewed as a canonical "source" of nondeterminacy in 
packet systems. 
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3.4. Evaluation 

We h*vo jaea how ^« ^Itef-MatiQai ^upp»tmt - i» 'moAnU 
specifications works for some simple cases. In tiUs secUoa we address the 
question of applicaUUtjr of our xaethed^jii^e cnapUcated modules. 

The examples we praMnted tfMAed only pad«ets of el«nentary types 
(integer and boolean). Olie'^iche aa^ i^ II^JSriHty in p>ry>t\^nm«iiit^i/.^t^ft^ 
architecture is that systems m^ HfWlljr ^a|^a|^t9 j^rocfss.gpi^tf, whi^h 
are arbitrarily amplex «Uta structures* sttc^ ^^«9^g|irt,^|f;|^rds. Data items 
in the various fields <rf a structaw^^ 

concurrently in different internal sections pf a system. Direct suppojr t for 
handling packets with arbitrarily romplex structun is equally eanr Mi pu? 
specification model. All that needs to be added an ftr«tm aad Mckat 
operators for building and decomposing structural, and this is well understood 

and straightforwardt ItructuriBS u« es«mtiaUy labi^ad Wtasian products of 

- ... :i. ' <-."''•"-, -- ^ a'" -i-i.-i K-jl; .I'sS^) « V hn.'^. ■"'.''■ * ':. i-:.i^^''^'^-' 

their components, aid liasic operations on i^ructuras have been found in 

programming languagdif<Mr a long time. ' . -^ 
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The basic question to be di«iused h«re is how effectively our 
specification techniques can model the foact^ial c^^biUtias ctf module^ fh^^ 
are to be physically realized in hardware within peckat systems. We claim 
that the sliciB-relation descriptive formalism has sofficirat power ai expression 
to model the behavior' of any reaUzabla packdt moduli. There are se^ral 
factors that siibstaatiatetAis claim. Our tedmique allows the use of arbitrary 
mathematicaily defined fiuictbns a^ predicates on paekat vi^ues and streams. 
Basic operations on packet values may be imposed through the use of 
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conditional •xptMiioiu and xtdardon cm irtrMmt; Tiis^^^x^^ our disposal 
th« functional capabllitlos of the textual laaguaca uaad to model dau flow 
schemas in [Wanf, 1976]. Thus, from tlM itlaafgtBit oP^ fttxin< ^oa^uteOlty, 
the slice-relation approach can model behavior of any desired complexity. 
Moreover, a module's charMteristic rtiation acts as a predicate that asks of an 
output slice "is this a correct respcmse to the p r e s e n t ed input?" Thus, 
external characteristic rations are the way our model aMh»matic*Uy 
determixMs correctness of modules in packet systems. 

The ahove arguments lay noth^nn «|o«t^fO(pi|iiliidt;y of behavioral 
descriptions in our model. It is an unfmrtuaate fi|$,,that as prooftfses one 
wishes to model increase in complexity, th.9 tiUat required to formally 
specify them increases even more rapidly. Although this appears to be the 
case with packet modules as well as with compu^ pngrams, it is hoped that 
the hierarchical composition of packet systems can reduce the structurai 
complexity to be handled if not the functional complexity. Behavioral 
specifications for the structural co mp osit i on of packet modtdes into systems 
are treated in the following chapter. 
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cm3?mBL4» smamci^mmMi^^s^^^^f^ 



4.1. Ttfc'feMT ial OTimlffinalilnini - ' 

The sxtMnMl ^eetficatioiu 4tieirili«d ia th« previous chapter 
constitute a toxmtl way oi inHa^m ^^om a sm^KM ^/mma. is to iateract with 
its outsldA wmrld. The matt tm^matt ccmoeptu^ jsg^iq:^ here is that a 
system is correct wheaewnr is s^isflas iu extaaEBsA ^^edync^loiu. As we 
mentioned earlter, correctness itf a ^rstem e«B»st be es^ti^ishad 1^ outside 
observation aOidsM^liiineois^^ ^^^iiirii^ ^peraiiffii of a system 

in ord(^ to |hk^' 'cesiaetiBs^' ' ' 

Stnu^uraUy q^eaki^ a padcat «yst«& oMUiiste oT a ooIlMtion of 
component modules interconnected \^ chann^s. T^m bi&av^nr of a system is 
determined by two ^lagst its straetmee a^ ^ babatv^ eif iis cozapoaent 
modules. A formia deacxiptton ctf a i^^itaa's b^b«vi«r vi^kich is basftd (Wtinly 
on thoM two iagredUMits wiU be oalted a s^ <tf laMraai Bp&eiti&Aixms tta 
the syst«n because it excesses Kh» syirtaa's actira in terms <rf its internal 
composition. 

In order to slu>w a systmn is <c(areet, two steps must be taken. 
First, one must ivoduee a set (tf int«aal i^acificatifms fea: the system. These 
internal n^e^fkatlomi than must be pre«ad efe^%«teiit to ^e igrstem's extumal 
specifications. The lo0al reasi^UMS involved h«re is that the component 
modules are anumed te be coarrect from ^to baginningt ^is assompUen is then 
used throu^iout the tfg^iaa. correctness proof. If &b» wishes to dffiSKmstrate 
the correctnMs of a compmi«tt module, it is deonBpesed stirv^turally into ite 
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own componentB; this module's correctness is verified in the exact same 
manner as the entire system. In this way the hierardiical system structuring 
provided in packet communication architecture supports hierarchical 
structurinil of system verification. 

To formally derive the internal specif^tiops for a |>acket system, 
two pieros of information are neededt (j; a ft^uct^al deiBription of the 
system, and (2) the external specifications for eac|i o|; its cfi]|i||Qnei^t modules. 
It is not necessary to examine th9 co^^p^uvit i^odUikM; jp since they 

are assumed correct. The internal sfmt^i^iii^ ^i^ lake the Idef^cal form 
as the external specifications, nunely a ^|pf|^ r|j^$i^ he^pp^ input 
and output slices. 

At tit^^Xms»i ceminl^ujf wmk^UamMi^H^^ tdr a packet 

systurn may «pjiar t» t» a» straliiitfirwas4^«il& mtmi^: for example, the 
system ; S rshowi^ :in 'fi^ure^ 4. t«f. ' 
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Figure 4.1-1; Systeip S) act»,^ fiwcMwM 

Suppose that module F applies a function f to each packet value x received on 
X, siiifti|( the resuIUa^ value f(x) out as a pacluit on Y. If F preserves 
packet ordeAnj^^'^ltscharactliristicreiation^lb^F would ^c^ all ordered pairs 
<(x>, (y)y for Which y Ts the stream obtidned from stream x by applying f to 
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each packet of x in sequence. In other words, 

((X). (y)) € EXTp <»> #y « #x and y[1] « f(x[11) VI ^ #y. 
If module G applies a fiinction o in the same mannnr, i.«. 

((y), (2)) € EXTs <«> #z ■ #y and ZC11« otyCH) VI ^ #z, 
then it is easy to see that for each packet entering the system SI, first f and 
then g is applied, the behavi(»r of SI, then, is the functional composition of 
modules F and G. It is therefore a trivial matter to show that the internal 
specif ications fftr S! liatiih the characteristic relation 

((X), C2» € EJffsf <»> #z i ix yfzc'll. o(f(xCi])) VI ^ n. 
One could take a fir moife ^tm^crted' example, such as a system to compute 
roots of quadratic equations iviich is ccnnipoMd fwan modules that t^w square 
roots, multiply by four, divide two values, and the like. There would be 
lon« chains of fiM^i^uft j^wi^osttton, JMgtapMtocfeii^i^^ 
would pi;^ent n«k jiMMor pjiiibtems. Sim^ for a Matt«Mi^act# sgrs^tii. one 
could simply compose rations iuHMA ^ fmi6«aDs« €» it ii«tas, at l^st so 
far, that internal speeifif»tions are simple intoad to determine. 

There turns out to be a vwy large fly in the ointment. 
Figure 4.1-2 depicts a systCTi^^ structille for which functional or relational 
composition is of no use v^ufioever. ThttgrcUc int«eccmttectioa structure 
imposes mutual data dependencies between channels Q «ad R. Packets pasMd 
on channel f? frbm moduli S dsf^id «k 1^ |»ack^ rec^ved by B from 
channel Q, while the packets pa«ed on Q d^end on farli«r pack«u received 
by module A from channel R. It is a distinctly Bo&trlvi4 task to m^tmm %• 
stream R in terms of the remaj^atng strMoas X, Q auftd 2!, since packets, passed 
on R will in general depend an. packets ]^eviou«ly pased on R* "Kiii klxid. of 
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A B 



Figur* 4.1-2: Cyclic daU d«p«ndthc1ts 



dtpend«ncy tatroducM mutually rtcunivt 'iyitaAi^ dT wfiii^ai 9Xpn»rimg th« 
chanart: stpeMM^ja jfr»« ^ om MMtj^^ Ulltof JWIWy[Kf^Jl8743 has found 
a way tosol^ ays^iiiu of tiiis JO^ ttfou|^ J^a i)f» <rf ji p^he|&al4cal theory 
o^ fixgpinu. Hit ticdbftivaa, iumm^f ^^m^xm «h«t the a&odules he 
df temiia^lfi, and th«i9 is no fti»iiht^9Piiir(i(Wiiy «|i^^^^^ to 

lumdetefiB^liuite t^^nmh "Dm MA «f 4#0v|ig^ iA|ffil4 ifiacificatioBa f or a 
packet ayvteia if a rhallnijutng pzohlea, and .« j|«w 49i«i|ach p reguired. 

The approach -we Wm^te %ttag^ taliA «tt^id^o^«MtiojMi view of 
aystems. We mbM the operatic of a Hiiteii ^ t«BM«^l« the piogress of a 
computatioii ia « ai^ of i]^imal. iytt«a >fUt«i. T^ ig^sim.'* response to 
part^ular preitpBtad , ia^ut is^ qharf^tfg«id J^|r- a p^t^-oi^^ procreasion of 
ia^fnal states, w^M^ P* call #a executioA «itpfACf. Iii ^m&eral, t^re are a 
large number of ppssi^e exe^i^tion sequeaofs to a particular 

•ystemjefy^QBM to sosMi ii«8|ntad ia|»t. A. p)tia| fippf^y Wi woju^A w 
to prove must be gltpwa to he^, over aii jiaai^^fxe^i^iQn sftque^ that 
may he taXea ^ the. jystem. The leafS spctij^ iafoipaiyijf introduces aome of 
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the basic chtfactMrtfticf of •McaUoA M^iMseM. 

4.2. EaMOUtion MqiMBOM (iffti^uotory) 

The progrefs of a comsutatlmi im a pacikM qotem is model ed hy the 
succesjsion of iaternal states in sl eieamttirai sequmoe. We will be deflainft 
internal states so that a state inc»pcHrates for each cbamuBl the cumulative 
stream of packets inmrated to be passed on th^ cihMBUk. This det»mines» in 
particular, for each sti^ the ia^^ut sUce pvesen^id to the agrneau usd the 
output idie» gen e wif e d H b|g, the^i^isrtease fat. 

A proi^Rt# yktf' wtiftp ttneeutlon v^iimaem W^ hiwe* is^^6ait^ oo»* csan 
construct a system state that^ Y^prwi^i the^ aeai»a»ttl£a£ rtmnlns to 
completion. Fbr siieh a stiW, the oatpttit ^c» J i ig i Betfty one ctf^ ^ ^rstlin's 
posaaiae ultta^te riipinsos w i^^ lifesen^d^ ii^^ Sii^PiIk eiMeirtieft' se^aiMice 
will be said w nM^» tw^ pwtkml^ ott^pat Mpteie to^ me^ tm^^'s 
presented input. It WiE then be a sttaig^ii*»if* t«^* w i»reda«» the 
system's inteinal ffi|ii^flea^Q«8» whk^^re^ dn^ bUKthe^js^atixm, bet wemi input 
sUces and coites p<iB i lt » A oiapi^^^is reeUpd^J^ *w«>^^««ia>i^ 

A parHfeular isiaA of laiy^cal ev«nt we wtsi to mod^ in an 
execution seqtteJbr ITttia transroisiten a^^paekat on seiie cliaia^ The act 
of a module smiMg a paidilt om on a dtksaA ^cKar wieur at aaiy naois»nt 
between the time tbw pael^t is ^teerated^ by the module and^ th» tim» the 
module recettrer an ' m^amwm^ si^id for t&»^ peeMim Vifr si^^veS il^ant 
of time duriitg stdkr an isMnral^ the paelit'mi^ oiriiiy^nor hiirw' bMa sent 
out alrei^, aM vrwommo^ iiteraiin* wmeh i^mt-'^t^ mm^cm^Btmmoa. 
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sequences will capture two kinds of eventsi generation of a packet and 
receipt of the acknowledge signal. Because we do not know the actual 
moment of transmission, a packet will be regarded as only potentMly present 
on the (^annel during the interval betvraen these two events. 

Each state in an execution sequence must reflect the relevant events 
that have occurred in the system. The events descrilied above are associated 
with particular channels, so we may partition sute information into 
components relating to the individual chuixusls in the system. To model a 
state, we give for each channel the cumulative sequence of events of each 
kind (packet generation and acknowledgment) that have taken place. Packet 
generation events are handled by givijig th« stream of generated packets for 
each channel. Since th» channels act as UFO qtwiaif i the packets that have 
been acknowledged are always given by a prefix of the generated packet 
stream. We call this prefix the aclcnowiedgftf prefix of the stream. Thus 
every state in an execution sequence consists of a generated packet stream for 
each channel together with its acknowledged prefix. 

Another significant property of execution sequences is that they are 
to exhibit the behavior of the component modules of the system. At any 
state, for each module the generated packet streams on the module's output 
channels must constitute a valid response by that mbdule to the input packets 
it has received (and acknowledged). 

A transition from one state to the next in an execution sequence 
models the physical occurrence of a module receiving new input and 
generating new output packets in response. 1i there are no more packets 
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generating new (mtput packets in remxmM. If t£w» are no aore packets 
waiting to be ^a^bed by modules ta, Vbm s^fw^^at^ tite fJ^IMm 9ta^ will 



remain constant. 

We now Jiv«.. some oxam^es of vm(m$^m 
system S shows la figure 4.2>1. 
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Fifer* 4..2-i:- A s«ip#' fMdMt ilPttMr'S' 

J is the aoadetefmiiMte x&frge module and F ij| tho |jp#dh«ek ipuidiCMlA first 
module) both of th«M modulei were dMcribad ts the i^rwlovM cMfttmr. 
Nondeterminate systems stt<i^ as S m^y gi^ei«tt d^ffnmt. out|^ut rfM|^^SfS .to a 
given prMeated input. This will be refleeted ia our MCtmplM. 

An execution seq[ueace is rifpasmtid by f ti^ ia whl£h Iht T^tws 
are the internal states and the columns ^mN^ipad to chipaols.„ Eac^ *9^y ^^ 
the table is the ap^roK^te striui of j^u^ted Vijtl^Mi with jp hMVy' dot 
marking the ea^ ef the ackaowledgsd p^^. 

Execution sefimice A, shown la fffure 4^-2, mod^s a particular 
response of system $ to the iaput stream <1,2> yes e mtod (Wi ^a^aol X. We 
also give a corra«poBdlJ|| syrlM of as^pdi^ th^ Uli^i^ ^m ^tftaul M^v^m 
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states during the computation. 



state 

1 
2 
3 
4 
5 
6 
7 
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5. 


•12 


12. 


125> 


5. 


.125 


12. 


125. 


5. 


125. 



Figure 4.2-2: Sample execution sequence A for system S. 



The snapshots, shown in figure 4.2-3, d^^t the first seven internal system 
states captured in execution sequence A. In state 0, the sequence <1,2> of 
input packets has not yet entered the system to be proceised, and no packets 
have been acknowledged <all the heavy dots are at the left end of the channel 
streams). In state 1, the first packet (with value 1) has been received and 
acknowledged by module J, and a copy has been generated to be sent on 
channel U. This oo^ i§, by the time of state 2, received and acknowledged 
by module F. F generates a copy for output on Y. and also a packet with 
value 5 (l'»-4) for output on V (since the packet 1 was the first packet 
received by F on U). In state 3, the input packet 2 will be passed by J onto 
U, and in state 4 it is generated as output on Y. Note that no further packets 
are generated for channel V. By state S, the packet with value 5 has been 
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F1gur» 4.2-3: Snapshots for vxveutiw svquwic* A, 
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processed by J, and by state 6 it has been passed through F. State 6 shows 
that system S's response (1,2,5) to its input (1,2) has been completely 
generated for output. By state 7 (not shown), these packets have been sent 
out and acknowledged by their outside world recipient. 

We now present another execution sequence that models the 
response of system S to the same presented input stream <1,2>. Execution 
sequence B, shown in figure 4.2-4, is identical to execution sequence A 
except for states 2 and 4. 

state 

1 
2 
3 
4 
5 
6 
7 

Figure 4.2-4: Sample execution sequence fi for system S. 
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From state 1 to state 3, this execution sequence has module J receive and 
process the packet 2 before module F processes the packet 1, reversing the 
order of these two events from the way they were in execution sequence A. 
Similarly, from state 3 to state 5 here, J takes in the packet 5 before F 
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processes the packet 2. The snapshots al sUtec 2 and 4 for execution 
sequence B are lAofwn in figure 4.2-5. 
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Figure 4.2-5: Snapshots for exacutlM sequence B. 

Observe that the two distinct executiMi ae q u e a c il it and B modal two distinct 
compuutions for the system S, both rMraMag: in the same system response 
<1.2,5) to the presented input <1,2^ C^ the other hand, execution 
sequence C, ^u>wn Ui fjigure 4j2-6j q^«|s, S amputation in which the 
system produces a dJUTferent response <l,Sj2> to, the suae input. This sequence 
is identical with execu^On sequence A thr!Ni|^ MM 2, but now module J 
processes the pack4t S f mm chaiyii^ M JMT^i it takes the packet 2 from 
channel X. This dUlkrt&ce if wlM^ «aaM.i|« dhangit in ayst«n response. 
Snapshots for the resiatJUiC states J3 tlun««h 6 for executi<m sequence C are 
shown. ^rifitf^tie 4.2-7..: , ;.*^-s..' 

It is important to note that ^ any time during a computation in a 
packet system, a packet that has be«B feawalsd to be sent out on some 
channel may or may not act\ially have been sent out already. After the 
packet is acknowledged we know it has be«i sent out, but before 
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State 

1 
2 
3 
4 
5 
6 
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Figure 4.2-6: Sample execution sequence C for system S. 
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Figure 4.2-7: Snapshots for execution sequence C. 
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acknowledgment it is only pcAentially on th« chaiABl. "Potential" packets are 
guaranteed to have been by swane futurf time ev^ntuaiiy passed on the 
channel in the relative order ^Iven. but we^ can draw no stronger conclusions. 
This means that in all 3ie snapshots we have depicted here, the packets 
shown on the various channels wore at the Indleated time only p<a0iaMly 
present. 

This concludes our inform^ introduction to execution sequences. In 
the next section we ^all mdtiviate an4 discuss ih» properties that will be 
used to characterize thmi formally. 

4.3. Properties of execution sequences 

In order to formally define execution sequences for a packet system, 
we need to carefully motiv«te and dis(;u«i «iyisil prcgMU^ies th4 c ha rac terize 
them. We shall be udn^ as an exampto a particular packet system C 
composed from the modules A and as shown in figxire 4.3-1. The left half 
of the figure shows the system structure pictoclally, while the right half Is a 
textual representation that provides a formal structural description of the 
system. Once we characterize execution sequences for C, its Internal 
specifications wlU be the blziary relatlp^ |>ftw«eA preaei^ted Input iUces iuid 
the corresponding output slices that are realised as the system's rwsponse to 
the given, input by some execution sequence. This, of course, will provide a 
formal behavioral specification for C expressed in tenos of the above 
structural description of C and in terms of the characteristic relations EXT^ 
and EXTo for the «x«ip«»fiaMit niodules A md D. In fhl }^vlous chapter, we 
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Figure 4.3-1: Realization of a sample packet system C 

sp«sif4c«Uy defined ihm external apeciflcatiajtt for A aftd D, but In our 
troataent here th* eharacteristtc reletiolui shall be viet«ed abstractly. 

An execution sequence is a tlme<K>rdered progression of internal 
states of a packet system, and a state gives particular information about each 
channel in the system. The state information for a channel Z at any given 
moment contains, as we mentioned earlier, both the stream of packets 
generated to be passed on Z and its adcnolwItfAge^ prefix. The space of 
stre^is ot packets pawed on Z is dendtad by Z« «ad'includ«s infinite as well 
as finite streams. For any stream z eZ*, we dend«i' its acknowledged prefix 
by z*. A chaaanel state for Z will then be an ordirM pair of the form (z;z*>. 

The state information for a system is simply the collection of state 
information on all of its channels. For our sample system C, define the space 
CSYS' to be the cartesian product of the channel packet stream spaces X«, S", 
R" and Y«. Elements of CSYS ■.which are called system slices, are denoted $ 
(the dollar sign is i»x>nounced "slice" and are tuples of the form (x,«,r,y), 
where X, s, r and y are streams of integef packets. A system sute will 
consequeitly be an otdered pair of the forat"' <$;$•>, miste ttie acknowledged 
prefix $* of the slice $ is the tuple whose components are the acknowledged 
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prefixes of the respective compo&eats of $. 

We have already 49fiiic(d input Mi output diets for, modules. in a 
packet sysUm^ fbM 0gi^ 1^^ p^ for a moftuki is tha oaistesisa product' 

of the chaniial strfaa ag^ac^af f9r the module's iaput ohaniiel% output slices are 
similarly built up frmft the SMdHl*'* mitput tiumak stream ^acas. For the 
module A in our example, these two q^acea are AIN* ■ (X" x R*) and 
AOUT" ■ (S«); for the module they aore DIN« ■ (S«) and DOUT« ■ (R« x Y"). 
The same thin|( can he don* lior thf sjrxmp^ 1jyfiVlMi«l^ai#^ it » « iMAulei 
CIN- « (X«) and COyi- • (Y"). Thu#;,^hlb<l»#liPMi*l^ 

C and its two component modules A and. D ure gXvwm by EXTq s (X") x (Y*), 
EXT^ S ((X« X R-) X (S')) and EXTq fi ((S«) x (R- x Y«)). We will have 
((X). (y)} c EXTc if and only if the output strean y is a valid response to the 
input stream x umler the semantic properties of the qrst«n C. 

Execution impuoces for a pa^Jiet spAMi ifill be off ihe £orm 
{<$,, $«"]!>, wh«:e i taiMv ^ ^^msajt 2iui|b«r rip^iM?ft«{^^s«t,|rwa mco* $i* 
will be tha *pluiowlid|i4 piafi»%o«, lha4?i* ipftepi aliftt ii* "Jhiw* are a 
number of aemantic if^pfrties^., wJUch;:.a^i jfyegufiiMic. j ii tniii . f» , .jHiuat satisfy in 
order to correctly model the action of a packet syatem. We describe them 
here in terms of the sample packet system C, noting that the generalization to 
arbitrary pMket systems presents no difficulty. For the system .:C« the 
components of syMem slim $j are denoted by % ■ (X|, % r,, y^). 

The f trat c on d i ti on an executtoa sf^iiw^ iiatu|/sa^ 
be a valid initial sys|Mi& «Ut«k,. .Tp «i;|^ipi,t^ PfP«9e^y^>^Mt^ A9 |iac)iei* hsave 
been ,prec»s8eA at th§ ^art^ vi» raquiw ^a| lh% Jilliil ,ilalir (%i9?}-^k*v» aa 
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empty acknowledged prefix $o*. The cprnponents of $o corresponding to input 
channels must matc^ the i«es«nta« ia^v^ slieev !& (Hir case, this means that 
Xo »ast be equal to a ginwft stream x of in]^»s. AaA it mxt^ ^so 1»e the case 
that the other cemponettts of ^ apee wiOi'^e' iattialoiiiftguratioB defined 
by the system stnuture. for a^tim (^ thla Moires that we have 
»o ■ yo »« (empty streuas) and r^ « (0> (stream of «ieai»®*val^ed packet). 

An execution sequence is suppond to reflect a system's response to a 
particular presentiBd input slice, and tfeits input slice appears in its entirety 
within the initial system slice $(>. In order for the execution sequence to 
realizie a response to precisely this input and nothing more, we must have at 
each system state the identical Input slice as at the beginning, which for the 
syjstem C means that Xj ■ Xq for all L Physically, this requirement amounts 
to the outside world suspending additional input to the system until the 
system completes its response to the input already presented. 

The third condition that must be fulfilled is agreement with the 
semantic properties of the componwit modules of the system. What this 
means is that for all states it must be Xi\xb of each module that the packets 
that have been received and acknowlelged by that module are related through 
the module's characteristic relation to the output packets generated by that 
module. In our system, the semantics for the A module impose the condition 
((X *, rj*), (Sj)) € EXTa, and the D module forces ((«i*), (rj-rc yj)) e EXTq. (The 
reason we specifically remove the stream Tq Is that it represents a packet, 
stream that is initially present but is not generated as output by any module.) 
These conditions must hold for each i indexing some state in the execution 
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sequence, sUrti&< fnm. th» initial state wit^i 1*0. 

The f4Minh p«9P«rty that slio«ld IwUL wmiiA «■ MMcatiiai .saQtseace 
is jattker eovKgiax. ^f» vf^i^ «t^e #i»Gi«ijl9F ite aietttiynMut tlHit «uie 
tr«asitioas witibia ran mmaxUmk wttftknm i'mmt- m^OM mettli ^Uw «|rstem 
structure. Each 4tate (i^^i, $y|^}r tan^t fellDW tawft Ats yia dteMur '^, ^^) in 
a manner <:e nsii«en t with ^ fihy^ral iarruiieiM«t ^ til* .ia|rs«em'« cHa^els. 
Once a packet is sent out alon^ a channel, it cui neviy: be "unsent" or icalled 
back. For each channel 2 in the ^stem, packed oi^ WlY P* added in ^in£ 
from one sute to another. Moreover, sisce the chttSMls act «s FIFO queues, 
new packets cannot disturb the relative order of previous packets. 'I^uis» for 
each channel Z, the (^lannel stream z, must be a sube^uenoe of ^^^i. tta all i. 
This requirement also holds raparately for the acknowledged iw^iaces qn each 
channel, since adcnowled^ed packets cannot beo»ie "oaacknpwleiliAd," so we 
must also have Zj* as a mbs«iuence of Z^(* for all i. 

It would greatly simplify the te^inteal development in the 
following section if we could strengUien this fourtl^ cm^itton to r^uire that 
Zi be a prefix of j^^ rather than any subsequence. As it stands now, we are 
requiring that a module can only send out addiUcfflt^ pallets in re^ponfe to 
new Input packets received. Insisting on a prefix jatopetxy would impose a 
time restriction on the intervals from jM^t guieiatlcm to packet tranouission, 
forcing packets '<o be spnt out on channels in the exact -same order in; wrhich 
their respective jprocesses of geaerati<m were ^iitiatad. Unfortunately, this 
turns out to be too strong a stipulation. If a module inich «# M 
(figure 4.3-2) receives from its input chuinel X first a packet .j) and later a 
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packet q, it may very well take M longer to produce a packet p' in response 
to p than to produce a packet q' in response to q. 



* N 



Figure 4.3-2: A module M. 

This could occur naturaUy in applications such as, a ci^hji/^lk memory or an 
information retrieval system. In order for M to, dftiye the h«iefits of 
asynchronous operation, its hehavlpr ^ould )w qwictfiii nondeterminately so 
that either stream <p',g7 or (^',p'} will be a vi^^d rfipopn* to tl«9 input stream 
<Pt7>' I^^urp 4.3*3 de»ic^ the two cc»Tesp(»di|l4 «KeiUtj^|i soQuenais, which 
should both be vaUd. 
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Figure 4.3-3: Two execution stquMces for M. 



In execution sequence (a), channel stream yi > (p'> is a prefix of channel 
stream yj ■ ip',q*). However, in sequence fb), the packet q' has cut ahead of 
the packet p' by the time state 2 occurs. This is legal, since the p' packet is 
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only potentially jpresent on Y during $ut« 1. So for sequence (b), Yi ■ <p') is 
a subsequence and not a prefix of yj ■ <g',p'>. In fact, there is no way to 
realize the response described by execution Mquence (b) if we insist that yj 
be a prefix of yj. We need the generality of the subsequence relation to 
realize "cutting ahead" behavior of Oiis nature in ^Kket systems. Thus W9 
cannot strengthen the requirement that each dinjMl stream in ma ^Mcuttoo 
sequence be a subsequence of its sMco«aoit. 

We can, 910. ^e other h«id, s^wigthen '^lit labsoqtte&ot vmptltty to 
use the prefix relation in the cast of aatnowfcilsed ntiix^ ot iShxtasA states. 
The '^cutting ahead" bifhavtor as teseribid: «bo¥« eifindl ocei^ witMii the 
acknowledged prefix ^ a e^annti s«r«iln, «iee we jtaow that ^ tha pickets 
here have tOreaty 'Mm passad. l%is mano^'tfaitr M any ^cAsti^elbh aaqtlatnGe. 
the only way Zj,,* may differ from Zj* is through th» aw^intiag ctf a«wly 
acknowledged packets to the end of the s^nam. Thus Zj* caiuu>t be Just any 
subsequence of Zj»i*j it m»sti» a prefix. 

The fifth and final condition that mast. »»«ittKCied by an execution 
sequence is that no Channel may receive acli^wMiment for a packet that 
was never generatfd AS output to be sent on that «3uma«L This is guaranteed 
by requiring that for «ish i the acknowliS^joifijc 2j»t - »»« be an initial 
segment of the previous stream Z; on aU eh^nels Z. 

The noHon of axeciition Mquitiu^ that has been developed here 
models the progress of a computation within a packet system, but there is one 
final element that is missingi the idea of ultimate result of a imputation. 
We must identify when a packet systrai fial^MS rw^ing to Its ^ut ai wall 
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as handle the casM of infiaita inputs and iafiaita ntpaxigt to finita inputs. 
This will ba dona by davalopintf tha concapu of UmUs and compiataixass for 
axacution saquancas. 

For any pacKat systam, wa may daf ina a relation PRECEDES on system 
states by <$(, $,•> PRECEDES <$,, $j«) iff ($(• PREFIX $,• and $j SUBSEQ $p. 
Intuitively, increasing values with respect to PRECEDES indicate forward 
progress of a compuution within a packet ay^ea. In particular, 
57 PRECEDES 32 must hold whenever system sUte Si is reachable from system 

■■■■■■'■"'■■■■■ , ■ ■■ : '■ f ■ ■-■' ■ . i^.' i aiin-.j ' ' 

State SI in some computaUon throu^ the processing of additional packets. 
We may observe that PRECEDES is a tranrtUve reUUon. Furthermore, by 
condition (4) above, an execution sequrace is mo&otonically increasing with 
respect to PRECEDES. An upper bound of an execution sequence, then, 
corresponds to a computation that has pr^ressed at least as far as all the 
states in the sequence, while a least upper bound indicates that no extraneous 
computation is taking place. We define a limit of an execution sequence to 
be a least upper bound with respect to the PRECEDES relation. Thus, a limit 
of an execution sequence corresponds to a gytUm state in which all the 
computation specified by the sequence runs to completion. This notion applies 
to infinite as well as finite computations. We use the notation 
llm {<$j, $i*>} ■ wp {<$„ $,«>} to denote the limit (iMSt upper bound) of an 
execution sequence when it is well-defined and unique. 

It may be observed that the PREFIX relation is a partial order and 
that for any execuUon sequence {<$;, $*)} the sequence {$)*} is monotonically 
increasing with respect to PREFIX and always has a uniquely defined least 
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upper bound «.* - jm (ti*>. Thw f*ete «• prowd to tl»« a«t ««:tion- 
However, lea*t upp« bound, are aot iwceMartly w^ defined with respect to 
PRECEDES. We therefore need some aMlttonsi pwperttos to, be satisfied by an 
execution sequence to order to guaraitee that Haits exist and are well 
defined. 

Consider a ^stem sute <$, t*) to which •« is a jwoper prefix of $. 
The nonempty differ«ce slice t - $• would represent packets that have been 
generated but not yet acknowledged. Sax^ a »t^ can never represent a 
complete computrtion. since it fl?edftes padwts sttU awaiting processing by 
various Internal modules. If the ^rstwa is to fuUy refl?ond to lu toputs, all 
the packets that have been generated at any time during a compuution must 
eventually be acknowled^. We tiius drfto^an Mcecutlim sequence C<$i, $*>} 
to be complete if and only if for each i there exists a J such that 
$i SUBSEQ $,•. This J will be the sUle by which time all packeU that have 
been generated by the time of state" i wiU have been sent out and 
acknowledged, to general, to any state ($. $•> for which $ « t*. there are 
no generated packets waiting for processtog and ackijowledgment, so the 
system cannot perform any further actions. We prove in the next section 
that any complete execution sequence {<$(,$,*)> has a unique and well 
defined limit ($„. $«•) for which $.- •»■. This result will be known as 
the Limit Existence r/ieorem. Thus tha notion of a^jiwigiutation running to 
completion within a packet system is ^ways weU defined. 

The limit of a complete execution sequ»ce should always represent 
the sute of the system upon completing its ultiaaate output reepwise to the 
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presented input. For a given input slice, we call such a state a limit state, 
and vre say that the slice consisting of the streams for the system output 
channels in a limit state is an ultimate output slice. The presented input slice 
and the ultimate output slice may each be finite or infinite. If either is 
infinite, there will be infinitely many states in a complete execution sequence 
and the limit state will not be one of the states in the sequence. We shall 
adopt the convention that execution sequences will always be infinite. If 
both the presented input and ultimate output slices are finite, then the limit 
state will be an element of the execution sequence, and all succeeding 
elements w^ill be identical to this state. 

There is a class of pathological conditions under which the limit of 
a complete execution sequence fails to represent the system's ultimate output 
response to the presented input. Consider the case of a module M 
(figure 4.3-4), 





> 



Figure 4.3-4: A discontinuous module. 

v^hich outputs the empty stream for finite input but which echoes any 
infinite input stream. The external characteristic relation EXT^ is given by 
EXTm s ((P*) X (Q»)) and 

((p), (q)) e EXTm <=> (•''P < " ^^^ q=e) or (#p = « and q=p). 
In response to input streams p, of increasing finite length, M will not send 
out any packets at all, and the limit of a complete execution sequence 
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modeliag tlUs bi^vioi: will exhiMt an UQpt^ ultia^ outinit 9tr«asi q^,. But 
this disagrees with M's^pecified noaepipty- ,res]po|M ,to lafinjt* input^ The 
problem lies la th« way EXJ^.M af«?lttfd; w» iMjr ajrpid th^ by jregjUrini 
that all module ix^ pmHn^t leys^tm ^ co^fi^jUiwnMU wMch nwiaiu thatt the 
responses to an UicreMda< Sfsqiti^ce (9f |aput ^lyams inust timd lo an 
appropriate, w«ll-4pfin#d Unit. ;W^ thi« ii tha pase, v^ ase ^uarantaed 
that the liinit of i o^j^l«^ ejEecutlon i9H|Hp^ t(K:tjMrq;^lyj»|ture 

the system's ultimate ou^ut i^ip^Bse. 

Wt aow HMw^^asesOci <g m» r<lttv«iM^^fllUBraeittiMic# of aKlNmtion 
sequeiu»s. The aattematical devticq^MMMit iHUMv* tlv ItMi tiitei ate 

4.4. ^cfli^itfon Mq[ii«iicM (f^uinill^^ 

We a«»iF,0iie the .fom^ rharacltil atj^m .jEgfgtht i»ot^ of a^Mcution 
sequences that has been developed. First, we show am ex«BVi^% tSUuwsaAs, 
we give the d^ialtiaai tot the genwal case. Ccmafaler Um san^ple system C, 
which was discussed ia the ^favioiu seftioa and is Otemn here again: 



SyatM C 

Inputs X( Integer) 

|M|tptt%s jr^ iqttager ) 

intet^naVi S(tnteger ) , R( Integer } 

A Inputs Ct; otttpiiu S 
Inputa S;r'<N^pttta t« Y 
Initially ir<e> 



Flgtira 4,4-1: Realization of a taf^lejHMSimt syatmi C 
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we have the foUowing characterization! 
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An infinite sequence {<$j, $*)} in which for each natural number i 
$i* ■ (Xj*. 8j*, fj*, Yi*) Is an acltnowled^ed prefix of $, ■ (Xj, ^j, r„ will be 
an execution sequence for C if and only if the following five oinditions holdt 

(1) [initM state] $o* ■ (€,€,€,€), •© ■yo ■cr?i-<0> 

(.Z) [input suspension] Xj ■ Xq for all i 

(3) [consistency] VI :((Xi*, fj"), Oi)) c Odj^ «4 C^*), (ri!:!>, y{)) je EXTq 

(4) [FIFO] $(• J»REFIX $;.,• and $, siiBSEQ Si»rfor all i 
(6) [connection] fj.,* PREFIX $| for all i 

An execution sequence {<$}, $}*)> tax tystma C>i» OHm^te if and only if 
VI 34: $i SUBSEQ $,*. 

Note that although the PREFIX and SUBSEQ relations were defined over streams, 
they are bein^ applied to a^steni slices here. The Intent is for these relations 
to be taken componentwise over all channel str«i&u/w)ifck*miaahs one 

slice is a ^prefix of a «eooirt:if aafl only if ^^a^ cii|— rrt oibanBtl iStream in 
the first slice is a prefix of the matching dWBUUHillream fo I9ie: iseoasd «lk:e. 
Subsequences are treated in the same way. 

The above formal characterization of execution sequences for the 
system C may be extended to arbitrary packet syitems with no difficulty. 
The formal structural definition for a packet system is of the general form 

System SYS 

inpttt* W< — y, .... X(-— ) 

outputs Y( — ), ..., Z( — ) 

Internals U( — ), .... V( — ) 
Submodules 



M liHHits P, ^.., Q; eut^t* Hi .r'1-S^' 

e , „ ,- 

t 

• .■"■■".■.■■"- 

Initially U<uO>, ..,, V<mO>, Y)^&>, ..., ^«0>. 
The parenthesized items are channel packet types aiMniay b« arbitrary. (The 
use of consecutive letten is the a!^uiets^i^aiitt'''1^ ellipses, fuch as 
"P, ..., Q" allows an arbitrary number of items in between, so that for 
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example a submodttle M of the system may have any number of input 
channels.) 

The ^generalized definitions now becomet 

Definition : A sequence {($i, $|">} of system states for a system SYS whose 
structural description is as given above will be an execution Mquence for SYS 
if and only if 

(1) [initial state] $q^ * (€ e), Uq « uO, ..., Vq « vO, yo ■ yO, .... Z© ■ 2O 

(2) f input stu^iKasianJ Vt: Wj » Wq, ..., x^ ■ >(o 

(3) [consistency] For each module M in SYS we have 

Vi : (CP4"^.,<li"), (rrrft....,SrSo)) « EXTm 

(4) [FIFO] $(• PREFIX $}.,• and $i SOB^Q $i», for all 1 

(5) /'coniMCtiojiJ %,* PREFIX $i for aU 1 

Definitiom An K^mtxien. sequence {^, .^^>} f w> a sy^em SYS is ccanplete if 
and only if VI 3J: $i SU8$iO*t*. 

We will thus be able to g^ve intenul sp«:tfi^tions for any packet system. 

The relations PREFIX and SUBSEQ were defined in section 3.2. We 
now proceed to derive the basic matiieraatioai properties for th0« two 
relations and the PRECEMS rtiation. This WUI lead i;^ to a proof of the Limit 
Existence Theorem, which states that limits ex^ and are well-defined for 
complete execution sequences. 

Lemma U For any space Z, the PREFIX relation is a partial ordering over Z*. 

Proof: The reflexive and tr«ia^tiV9 properties are clearly satisfied. Now if 
z PREFIX z* and z' PREFIX z, then #z ^ #Z' and A' ^ #Z, so #z » #z' « N, which 
means Z and Z' have the same domain. But then for 1 :^ N we have 
z[i] ■ z'[1]. whkli means z and Z' coincide over their common domain. This 
forces z > z' and establishes the antisymmatry j^roperty, completing the proof. 

Definition : A sequenos {z^} of streams is ^sa^ to be moAotone if tor each i, 
Zj PREFIX Zj^,. 
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Lemma Zi Any monotone sequence {Zj} of streams has a unique and well 
denned least u!^«r bGitiid. 

Proof* Each s«rean z, ^ a funettoa tiiaft uaor W zega^bd as a set of ordered 
pairs of the form <fc, asfk]). Let z^^ y^^ a^^iQ|§o^^^/i9^^9im^^ of m the z,. 
Then z will be a function, since any two wdnred pairs (k, ZiCk]) and 
ik, Zjtk]> must oMUcida (1^ miiiidtonidly)'. ft is uamediat^y apparent that 
ZcZ* \iMBd z is tax fmtK hoomi f(^ (z,) untor. «Hi^m VtBk&bmg, Z will be a 
least upper bound, si]Bce any upper bound for {1^ p«st contain all t|ie z^ 
set-theoretically and hence their union z. finally, uniqueness follows from 
the sotfiiysuBM^ry prepOTty d«fv«ii in Ijanlna 1; 

^|UBi« »> PREFIX is « su%rMaHo# of Saii^Qt 

Proof: The insertion function required by the foraiil <hif inition of SttBSEQ is 
simply the identity function. 

It is easy to «ee that thff $I)BSEQ r4«Uon ^ r^^ve «pid tfaasitive. j^owever, 
it is not necessarily antisymmetric! Consider the two infinite streams fOVll)*^ 
and (ai«l)*°« each <xnsistti« of f^ttitiOlt aMH^ «Mte and «ies. These 
streams are distinct, but each is a subiequuKe of the other. Thus, SUBSEQ is 
not a partial ordering relati<». ^ , 

The relattons RREFIX and SliOSEQ both aj^ly to streams, but the 
PRECEDES relation wiU be^^iditin viM sc^«uiA sl^ itaw Aeiimt. 

Definition: A ciiajmei slate for a chani^ Z i» a pacl^ airs^eiR i« 4P onfeered 
pair of the form <z^*> in which Z jj|| f* «re |^^ 
Z* PREFIX Z. 

Definitioa: For two chioisel clitii (i^,a^*> aifia €!^i;Ej»|*> we say 
<Zi.Zi"> PRECEDES <Z|,,,Zi.,*) if and Only if ^ iH»^ Zj,, and Zj" PREFIX Zj.!*. 

Definition : A sequence X<Z|.Z«*)} of cha^^Ml stf tes ii| saki to be mxanptonB if 
and only if (Zi,Zi*> PRECEDES <Zi.„Z^,«> for aU i. 

Definition: A sequence {<Z},Zi*>} of channel states is said to be complete if 
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and only if VI 3J s.t. z-, SU8SCQ Z,'. 

It is extremdly important to note that th« x«l«||iJidP8iAI9E|»^ |«ili t» bo a 
partial ojder \>e<mm0^ ilf ^E%^^mm^ .TU^^A^mm mm im t*«P.case 
of tite itwto ohaiiiW fiittif*^ <^irf^^ #^^^^«^^ an 

infinite stream «id an eaity tOf^^^^^i^t^i^, Wf^ -^%^ W^c»»^<iM*i»ct 
and ^oh 9tm» 4 m tha(iottMg,^<te^i<^ii^tiiiiMW|r tjpg^m ttf m» iHirol > Thus 



necessarily well defined, ^owgm» rw^a ^ 0§sffi^ i |i>|,^#a ^< i ii i«» t; Jlillim>n to 
guarantee that the loaM yimf^^mm^mm^'m^^tm #WMW»^ TJ|»f ftpi^iWln* 

rAeoreaif If {(z,^*)} is a moae^me aad ooo^ete ae«uence of channel stales 

'efUfl-tO^filajE^,;;;,;;, v.,,.,,/ ; M.KT^ .■'-■^;: ;.'-;:. u4 ;'.is;,.i^.,. "-i- 

fifoo^* Sine* j(« j# by ^i$lAttipi;iMt UNipai^ bfiMAtlkriJ^i^wi^^ hMi^ 

I^cw given any i, l>y cta^tot^ius vra h«ra 

But Zj^ PREFIX Zo,. which by Lraima 3 implies 

S|ac» sw&ie t» tUBrtttv^ ■ga tmmii i^|ati^^^fWt# 

C^; Zj S08SEQ Z«. 

im« «ttflibiiU^toK df ««uttfoa^ (¥fwiA 00 m^^^i tljzj as W^%per 
bowii* »rX<2i^^^*li^^th*>RlilSl^^iWi«b.^^ ^ ^'V 

In order to show that this uj^er bound is in fact a l«li^ ul^r 
bound, we must esl^^p^ th^t f^i#|r ftroiil stii%feg%for whieliu. 

it must be the case that (z^^tj PRECEDES |(,Z*). Itow equation (6) im^ies 
%wim tua ^fRl^rx ^ 1^6«f lit-^^lwii^^ be 

a prefix of the upfir bound »•, /.^" - y^ * ^ - 
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re) Z„ PREFIX Z". 
But since <2^*> is a channel stat», 2^ PREf 1*1 £^ so 2„^^f IX z, which implies 

(O Z« SlIBSEQ Z. ' 

The combination of equations (6) and (7) yields the result 
<Z3,.z„) PRECEDES <z^*), so we now have established that <z„,Za>> is a least 
upper bound for <z„z^). 

The jproof is not yet complete, since the PRECEDES relation is not 
necessarily aintisymmetric and we must therefore explicitly guarantee the 
well-definedness and uniqueness of the least upper bound we produced. This 
will follow directly if we show that for any channel state <Z,Z^), whenever 
<Z„,z„> PRECEDES <Z,z"> and <Z,Z*) PRECEDES (Z„,Z„> then it must be true that 
Z » Z* ■ z„. Now Z«, PREFIX z^ PREFIX Z„ implies z" « Z„. Also, the 
combination Z® PREFIX z SUBSEQ z„ implies #z" ^ #z ^ #z„, and this "squeeze" 
condition forces #z" ■ #Z, But since ^f MEfi^^ ||j vi*JSW»«* lw»ys si?^ * Z. Thus 
Z « z^ * Za>, which sets up the required antisymmetry condition and 
j^uarantees uniq^ieness pf the least upper ^ujq4. Thj^s completes the proof. 

All of the faults established here have b^eHstaited for individual 
channels in a pMket system. Hiawever, we may t^fiy them to t^e intftrnal 
behavior of an entire system in a rather sti^tighlll^Ntfardnii^tter. As an 
example, a system slice $ is a prefix of a slice <i^4r4ad only if each 
component stream in $ is a prefix of the eCHfre^ondiaig component stream in 
$'. All properties (tf the PREFIX strej^ »^ti(^ are just as valM f«r the 
PREFIX slice relation. Similttly, aUM^pertiini c^ the striim relation SUBSEQ 
hold for slices. Mc^eover, alt properties ^ th»#RE^MiS' relation cm channel 
sutes apply to system states. M p»tk:ulart the f4^<^ifitDi£ theereoi, which we 
call the Limit £xistojice TUieorem, holds: 

riieorem .' If {<$i, $i'>} is a complete execution sequence for a packet system, 
and If $„ » sup {$;•), then sup {($j, *i*X> is i)##U*i#ine4 and unique 

PREFIX PRECEDES 

and equal to C$ep, $o,>. 
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W« wem Jiti« « fppu^ 4«^^^tlo& fear tte netion of co&Uauity, 
which iwms ann^aiwil I&^m iKWfiauft tsaetiaB. tJQaitliiattr iji^ ^i^tttztjr bf a 
module's eirtmiiftl 4dkc»KSteK4i«lB inSlOee, so w* diifiM It for Unary r«Utionj 
ovitr slices: 

Definit^om A reUtion "v an slices is coAtinomis if whenever $ ■ sup {$,}, 
v\rhere the sequence Ctj} c^ sUces Mtbdfies $j PREFIX $i^ for ell i. then 
($,$') e ■« <■> 3 e sefnenoe ($('} <tf sQress&s such that 

(1) (Mi') c "* fw all ii 

(2) </ SUBSEQ $i^,' for aU i; aad 

(3) $' « j jU P {$;> is uniquely defined. 

4.5r 6ltiriiiii«lM<iii» gf ttiiWHii lyiiltiiiWitiitt i 

' iKmfir 'i^^rt' "iiw^ ha<«^ 
^«tMB, it is eiinplit« 9iii«oe«i$i«ai[^ stalest The interoal 

iaj>ut 8U«tes %Q wmtm-'^eimn.^ eUees, iiii^i<^ mm' eaia . the isy»te&*8 iiftefiiei 
cAirec«9«ysfiMt a'«iiti«n. Ah* iite MBiylwiiipMeB C tmiha'Pe %Mm diseiosiBt;^ we 
have IN:% € K)^) # IY«^ entt Hw .teiwi^ i^efiiSlcatioBs «iar ^^^ fozwally 
chOTaderlesi ly i[X)» i(yB mime MmA m^^Iamam^ is « «aiai4«ti(Jexec^io& 
sequrewJt {^^ ii^)> f«ir ^ swai th«t >%# ^ «^ #* > ^» nwheare M« aBA ^y^ are 
4efiaed i^%» (>%.%,%, >^) «b4^ f^^ ^"^ « Jx.. ••, r», y^). Note 
that ^ rmmmmm^ j^,||illtial jiawt #re ef attd to C «■« that |f«, twceseau the 
ultimate output ytelded by C. We cpa eai^fCPBIWi)^ t}^^^ 
system by qu«itlfyl&s the condition Xq ■ x over aU input channels X and 
4}^|mtifytii^ ^ o^iMlMioa y« ■ y over «U oui^t ^kfnnels Y. Ncite «l»it the 
definition of (MTgys is in effect parameterised by the i^twtural (Utt<»lptit>ii of 
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system SYS and by the characteristic relations of the «>mponent modules in 
SYS. 

The development of internal specifications for packet systems is now 
complete. We have two ways «f formally jdescrlWni^e behavior of a packet 
systems exteyjMUy, in terms of its ii|t^«ftion K«rith|he outside world, and 
internally, in terms of its strucujre and <»«Pf)^ioa. V/m cm wfly thia to 
correctness proofs by observing that a ^stem WS il f«^^9ctly realized by its 
internal structure if and only if its (ej^tei^^) cli^iaciifts^ i»lati«nui^^ 
and its int^rnsd chwactwisti? relatii»i JiTTsW: aw id^Mioal* A correctness proof 
for a packet system will therefore consist of a d^iosstratioa that each of 
these two relations is contained in the other. 

Aside from the obi^ous applica^n to system i^iFJUIlQation. the formal 
specifications we have developed tta pa<^t«yst^n» aisi valu«d>le in achieving 
a frequentty overlooked objective undtr*t«Bdin4 H^ behavior of these 
systems. Our operational approach 4#s »« podel the ac^\^|yq within a system 
step by step. The "dot notation" tables u^ execution aiiqu«n<a8»s ^e a useful 
pedagogical tool, aiding in a person's conwptsM^ijHiti^aj^^j^ ^hat goes on in 
packet systems. It is hoped that even without gfiM^li through a process of 
formal verification, designee of asynchrono:^s,i#nd^rq4iMit» systems will 
find the techniques developed here to be of j#il(gtaaiiB j^ buikling packet 
systems. 
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6.1. Smttiit^ y^i m mmmsetoMB jfaeo0i 

iiu«rc<m«wUttft fm-^coim»miamimisSM, ^iii 'Hi' b^vi^ ii Ibrnalir <£^ 

its iTmma^ ^pmimamam. ilu« #4rvlt#%^%ir^iiftMt tf Walsd iiitiafU^ a 

spmaia^iMBMi; • ' ■^•'"■■' '- ■■'-m -- "«-'* 

To Kovc onmetoMK of a pwrtleaUr jQPitm SYS, on* mu«t show that 

Ineltt^onii^ttCT^g^^Slfl^iMi'lWTIff s MP^. 'fha^ l^i^ ^^duskAT «ti^ that 
aU - cystan. ^iii ^« i ii i g p|B^-iMtf''iilW^ mit^m&^^amMit''i§ikim»iiax^'''ifdM 
wiU 1M '9ioi«i*fl||^'««»«Miir#lai:. fit irt»^tertiili»iPSMiili!tiatt 'aataiatea ^r^'^S, 
th» isMal mmti.melMmfmt^vimmt-mMi itt^ 9m0 am aa^ tMlM^%y 
EK%8- W* Qifii'M^IM^ttii eoii^liM^ Imr^ ^i^i^rtiof, yis^ ft vtn^tes 
^at &amn&im^mmmmmipMme9»nm^^ 
•Th» QdSiit'^elliititf iiiti «hci^ tfl Iwlbi^ir illiwviP i^^^ 
specificatlooa x^ay te radOxad bjr aoina ccoiplata aimmtioa saquanca. tlilUr is 
called tha s yM l mg i M portion oi th* t^tooi, stOM it iavolvas constructioa of an 
appropriata Meactttioa aaqpi^ca to raaliaa aadi tnstaiiea of ^lAam bahavior. 
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The simplest example we can give of a correctness proof is for a 
system ID composed from two copies Nl and N2 of the negation module N 
described in section 3.3. The structure of this system is shown in 
figure 5.1-1. 



V 






Y 








Nl 


N2 










10 









Syst«Hiij,ZO 

inputs )^(tK)o1ean} 
outputs Z( boo lean) 
internals Y( boolean) 

Sotmodufes 

Nl Inputs X; outputs Y 
^ fnptots t; outputs Z 
Initially empty 



Figure 5.1-1: A simple system 10 to be proved correct 



The behavior of 10 is triviali any boolean packet value coming in on channel 
X is twice nested, thus remaining unchanged. 3|i9ce bo^h Nl and N2 
preserve stream ordering and since the chaiineljs are all FIFO, the system iO 
sends out on Z the identical stream received on X. So to demonstrate the 
correctness of iO, we will have to show that its internal characteristic 
relation INT|d matches the external characteristic relation EXT,o s ((X«) x (Z")) 
given by 

((X), (z)) e EXT)o <«> z « X. 
For the comp(»ient modules Ml and M2, tb«9«xt«Hmak7Hehifftteterkitic relations 
EXTn, c ((X«) X (Y«)) and|XT|« g (iY*) x (i^J) care #w»a by 

((X), (y)) € EXTni <«> #y « #x and y[l3 » not(x[1]) VI ^ #y 
and ((y). (z)) € EXTnj <=> #z » #y and z[i3 « noUyCl]) VI ^ #z. 

Note that all three channel spaces X, Y and Z are equal to the set 
{true, false} of boolean values. 
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W« ma. fomuOly itat* th« corractiiaM ^wfnrsxa fox th« £lv«& 
reallzAtion of xyitlea 0). T}m dtfiaitkm of Um rtiatjkai J^io is iiicor]por«t«d 
into the foUowiag sta^wniait. 

Theorem: ((x), <^) € DCT,d <■> ((x), (z)) e INTtf, 

<■> 3 a complste «i»cmttoa sequence {<Sj, $;•)} f«r 10 such that x© « x and 
z„ * z. where Xq aad z^, are defined by $o ■ (Xq, Yo. Zq) and 

We recall the ^anitlans of execution sequence and oomf^eteaess, stating them 

fox our particiOar ^st«n 0): A sequotoe of the lacm ii$i, $j*>} in which for 

each i $i* ■ (Xj*. y^, Z;*) is a prefix of $j • (Xj, y;, Zj) will be an execution 

sequence for ID it md mOy if the folIoWia^ five coamtioas hold: 

(1) [iniUml stalej V ■ («,€,€). yo ■ fo ■ c 
(27 fiAPOt Muspentkm] Xj > Xq for all 1 " 

(3) fco«ri««Krl ((Xr*X (yt)) « ©Will ^«« (^i'K (^)) irlKTN2 tax all f 

(4) fF/Fpj <$j, $i*> WiECE«W <$i»Hj %ir>,f^^^ 

(5) [coan^cUoa] t^,,* WIEFIX $j for all 1 

. ■ ■■ ■ r- ■ , -. - , " . . ' 

An execution seqiMnce {<$ j, $*)} for 10 is coaiplete if and only if 
Vi3J sA. $j SiOS&i %*. Ifole that whenever this is true, the Ua^t Existence 
Theorem guarantees that we will also have si^ {($i, $;•>} « ($„•, $^">, 
Where $. . ^ {«,•}. 

The ■tatwiMiB t of the icos-mctneai theorem fte the system ID is now 
complete, and we «« «aidy ^ begin deValo|ia#V^«^. 



<'.>:•«•»»»()*? • '•BJ^»<^SM?***»1«^-*' ■ 
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6.2. Proof for the system ID 

We must show that for tjie systep ID tlM>^|||i^ternal relation EXT)o 

and the internal reia^oa JNT^ o^cUle^ 11^ cdnsUteiMiry' portSon of the jnroof 

Involves showing that INT|o c EXTnj, whicli means "that for any complete 

execution sequence for ID th* init^l topj*! ,>% a^ #its |ii||j3Pw^ output z<„ 

satisfy the characteristic relation EXT|q. In provinit this, we need to establish 

a particular property that will be an important ingredient in all our 

correctness prooDs. This prop«tyi, which w% 8||^ falliiybM Site lemma, 

concerns the size (tfi^hannel sequences- to a liiilit ^iktv for a sykem. 

Essentially, it asserts that the size of each channel stream in the limit state of 

an execution JMKFoeiicv is t)l» Iteit of th« i^Ms l»f 4h# itr^aokk foir that channel 

as <me proceeds through the 8ta«n in the lb^«cttt^ l^ueaW. Notii that this 

property is not limited to the particular sys^^- R3l l^t father liOlds for any 

system we will vyrtali to prove correct, t*^ Ximtt Si^ Lli&ina ts t^rOved by 

using the least upper bound property of tl^ limit statf to i^bUsh thf least 

upper bound property for the seqjience ^^U»t^ 

Lemma s In a- colnaplete monotofie sequence t^Zj, 2j*)) of channel states for a 
packet system, if z„ ■ 8t^ {ij*}, then #*to " *>^ V^ mmi^<0z^}. 

Proof : Hie sequence {ife'} is a nondecreasing sequence of natural numbers 
and must either be eventually constant or else increase without bound. In 
the first ca-e, there exists a / such that Vk>4: iz^^^ a #2^*, which implies 
#Zj* = sup {#Zi^}. Now for any k>j, the ' combination #^® » *z,^ and 
Zi* PREFIX Zfc® forces z.* » Zu". Thus Z«, » sup {Z:*} ■ Z,* and 

' PREFIX ' ; ' 

#2^ » #Zj« = sup {#Zj^}. 

In the second case, sup (#Zi^} s «. We claim #Za, = <». If this is 
false. then 3N: #z„ « N. But then (VI: Zj* PREFIX Zo,) implies 

(VI: #Zi* ^ #z„ = N), which would make N an upper bound for {#2;®}, 
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contradicting tup {#Zj»} ■ •. Thus i(^ « «o ■ «# i^^}- 

Now by the Limit Exiiiteiice Theorem, we have 
<Z,„. ZJ » p^f^,(<*i' ^•>>» which impUM VI: <2j, Ij*) PRECEDES <2„^„>. In 
patticular, Vtr ati S8iSi5 X, l» Vl: tttj ^X.. which m^s «„ an upper 
Iwaumi fQ» {j#i^ »«> «te^«KFIlfe«|\«qpU|pjVl«fJi|^!$^/itf a^ upper 
bound for {#^} »^»*f *»• *» iPP«' bound far {#a^*J «n4 mi^t th»ref$u;9 b« no 
less than the i<M«« upper bound *z^. This makes #8. a least upper bound for 
<#Zi>M^ vMIlM for 1^^, which com^iii tlw ptdof^ 

poro7/ary; if k<«> and k ^ il^ then there eaeists «i i such that #Zj' ^ k. 

Prooft Suppose that for ,ril i we had itej* < k. This would imply 
Vit #2j* ^ h-l, wl^:li iHMiiv' kH^ « t^Wlsitel^ C^. Sot by the 

, Li^it Siz^. ,. L^i^pii,, ., «Sj, j^ #ie.,.,|fW(^,. .ttppi,i,jfepia«b s» vw vomit hmvo 

#z„ ^ k-l < k, which contradicts the hypothec for finite k. 

■■ ■ : ;'■■■'■■■■■ y- ■■-i ■' '^''■-'■^■'- '' ■''' '■■" •'^' ■ -■•* - ' ■''■■''''■ ' 

Nqw? th^ w« hmt ^W^ this Idnaiifc; tj|% AMMMeaejr jpcoof fcr 

*y**?^ '9 % "W^^ 5^« il^ «» ^ #^iiii»ti<it 4^^ thi»i«n«r «d.«u 

others iQ4mai§^Wi» f^^Uli0 1^1^^ 

^°PHfj^fP^ IP84*T Mi w»«w |M|W ♦<»p»l«j^,fp«ipt|||ik,j^ the 

statement of the eorrectaees theorem f«r 10, we must diow that i$ x ■ Xq and 
zn 2^, thMAXm/Wi^W^' l^^Is ^Wtt^wSy'S^' - xri.e/ ' ^'" 

#1 ■ #x aa*s«e4J;iiE«C*t^t--^*i, '':•-' 
so we must verify berth %^|{n^^r|^i^j|j^^ of z„. 

We first notft^fh^ijue t^iagon suiyuMtaii |»t#irl|'^ an «xeoett(m sexjlMA^^ 

X, » Xp » X fw fii iy so we mi^,,^^; l^vp |^ * ?s > ^,:3?«^cu^|ipy #x^,« «m. 
But then we have 

#z, • «^{^ am 

« •i^^#Kj«} (hyEXlN,) 



'SS5^' 
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Which ests^li^es the desired size property. 

The element condition >i#' equally ««sy. For any liattUrjil number 
k $ #z. by the coroUiury ^ 151 we ^^y« i1: #2i*,^|^^^^^^^ 
zCk] « z„Ck] 

-^«ri*[k] (since 2i« PREFIX z„> 

■ "ot(y*Ck]) (by EXTn^ 

* not(yi[k]) (since y> PREFIX Yi) 

• not(«%t(Xi*t k 3)y (by ©«T,^ j ) 

■ not(n(>t(x£ klj) (sinc«t )^ PREf I)^ i>t) ; 

This is the required element condition, and the consistency portion of the 
proof is now complete. 

The above oras|«twcy proofs may appear to be xiBlatiytAyistrit^^ 
such a trivial system as 0, but it really isn't." "All we really Jiad to do was 
set up two simple chains of equal4ty 4hat t|M^ thftii^ternal A«;^ paths Mid 
applied the behavioral properties of tl^ii^mfdttei&taiddales: Fo* noncyclic 
systems, this presents no real difficulties. 

The synthesis portictn of ihe bidrrectness proof for 10 involves 
showing that EXT^, c INTiq. For each ^iven input stream x and each 
corresponding output strena Z, we need 'to 'ojnist^ct Mtf iirifcutlon sequetoce for 
10 to realize the appropriate system behavior. Thus, |iyfn st^efms x and z for 
which ((X), (z)) c £XTo» we must reaUse Ihe iatara^il ^havior of 10^ by a 

matching execution sequence $o $(,... In Which each system state $j is a 

3-tuple (Xj, Yj, Zj) of dotted channel states. (The dot, as we mentioned earlier, 
separates the acknowledged prefix from the rest of a chaim«l i^eara,) 
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Our strategy is to produce a general order in which the component 
modules absorb and process packets. The order we choose for these actions in 
the system ID is as follows: (1) Module Nl receives a packet p from channel 
X and generates its negation not(p) for output on Y; (2) Module N2 receives 
the not(p) packet from Y and generates a packet with value not(not(p)) « p for 
output on Z; (3) The outside world receives and acknowledges the p packet 
from Z. This sequence of actions is repeated once for each packet in the 
presented input stream X. Thus the execution sequence we shall generate for 
the given streams x and z will be cyclic of period three. 

Synthesis proof : Given streams x and Z for which ((x), (z)) e EXTiq, we note 
that this means z = x. Let k«#x (note that k may be infinite). .1 let y be 
the unique stream of size k for which each element is given by 
y[i] = not(x[i]). 
For each natural number i starting from zero, define 

(0) $3, = (x[l:1].x[1+l:k], yCl:i]., Z[l:1].). 
This formula gives every third state in the execution sequence. For i=0, it 
reduces to the case of the initial system state 

$0 ~ ('><i •• •), 
since the stream segments indexed by the expression [1:1] « [1:0] are all 
empty. 
For each natural number i starting from one, define 

(n $3,-2 = (X[l:1].x[1 + l:k], y[l:i-l].y[i], Z[l:1-1].) and 

(2) $3,-1 = (X[l:i]-X[1 + l:k], y[l:i]., Z[1:1-1].Z[ i ]). 
These two formulas give all the system states whose indices are respectively 
one more and two more than the multiples of three. 

Together, the formulas (0), (1) and (2) define an infinite sequence of system 

states $0 $,,... which may be verified in an extremely tedious and extremely 

straightforward manner to in fact be a complete execution sequence for the 
system ID. We will not go into the details here, since the remainder of the 
proof is neither interesting nor illuminating. We shall, however, make some 



- 93 - 
comment about the eicectition sequence we just doinstructed. 

First, we make some observations about the states. In the i-th state 



; lOi'ii ■ 



given by formula (1), the i-th packet X[1] in the input stream x has just 
been absorbed by module Nl, and its negation is seen as a newly-generated 
(butnot yet acknowledged) paekerfaii cHiftnei' t; dwc^ed by the ".yC 1 ]'. In 
the «iirre^p««diag (i-th) «t«te gtvin by (2;, this packet feas been received and 
«ckRewle4jged 1:^112, and N2 haes ^^nefated a new packet with value z[1]. 
THIS stite to fOlfovNd bjr the'f-tii s#i j^inVlf^^)^ which reflects the 
acknowie^ment of the zElj'Vacket'by tl^^tddlj"^ ' 



:■'*-■ i-'. 



If the size k of the input stream x is finite, then the above 
sequence of system stated will repeat endlessly after $3^. All states from this 
pbiat on will be identical, namely 

C) (X', y«, 20. 

In this terminal state, all the inii*^^?i«k»tii>^w ^ifeelfsp^<Kjessed and- a 
complete response has been passed to the outside world. Since the sequence of 
states is eventually constant in this case, the limit is precisely this repeating 
terminal state. In the case of an infinite input straam x, the states in the 

infilait^ sequence are all distinct, and the terminal state given by (*; above is 

^, '. , ... ■ V' . •, ■,' ■ ■/ „ fci:, y- i-m, 3. ;.^*.-•■,:,rUi ... ' ■- ■ .. .' 

the limit even though it does not actually occur within the sequence. In 

, - , - ■ ^.,": ..; : L . .! .-.% .„,.>.. .1.. .- ... • 

either case, we note that the output stream z will be identical to the in|»ut 
stream x By the hypothesis ((x), (z)) c D<T«,. 

The execution sequences produce4J|^ thf, ppthesi^j^^ not 

exhaust all possible sequences for the system J)j. hgwfVfivthfy are sufficient 
to reaUze all legal behaviors for ID given bjr PCTjQ, , 
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One trivial obMrvation lum ctms^Bm t^$^Xf^^ our 

realization of ayitam JD. Siac« all thraa chaaa«l« X, Y and 2 accept only 

boolean-valued packets, there ia obvioualy no conflict between packet type 
restrictions. 

The proof ^ven here m<iy seem. Jfii|^,ta^rt^^^^ lofiicai and 

mathematical ^fiuijkents are bfief #ad s^034iftf§xw»xi^*A )Thf i>la«» where we 
took the functional composition o^ |^ |iw> Iffifcg ^^i^ations t»,iyi«Uli the 
identity relation was in the fi^l stfp of, the (aon^ite|^,.P9E^oi( oi mkt ?9m>t, 
when we used the WO|»«^y nptCn(HO^ ^ pOm *mmmmmmit 

cyclic data depei^encies in their internal structure are proved in similar 
fashion to satisfy the appropriate compo^tion of the external characteristic 
relations of their component modules. In the Mxt section, we prove 

-r..., . f ... r . ,^.,, t^ . .., ' » " ■: ,'-,-i-ri,-' 

■ • ■ :;i- ;: , : «,»l-i ;'-!»*-• .■■;■■ ■ ■ ■■■'»' > 

correctness for a system with cyclic structure. 

One of the sample packet systems we have already worked with, the 
system C composed from the adder module A and the distribute mpdulie Q, ^ 
a cyclic interconnection structure. In this system, shown a^^fto. in 
figure 6.3-1, channels S and R form a directed cycle. We shall prove the 
correctness of vysxnm. C in this section. It is not hard to give an inforynal 
characterization of the system behavior. Initially, module A pairs up the flfst 
packet value input from X with the zero packet on channel R, sending out 
the sum to-bothir and R by way of module D. This sum,' once passed around 
through R back inW A, lis added to the next packet Input to A from X%nd 
the new sum is cycled arotmd l«ain on channels S and k In this way, we 
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System C 

Inputs X( Integer) 

outputs Yt1q,te99r ) 

internals Sflntiger), R( Integer) 
Sutawdtff es i*"^ 

A inpifis )Cv R; outputs S 

D Inputs i; cptputs R, Y 
InittaT^ly R<«y - 



F 1 gtire S . 3<- 1 : The eye 1 1 c p«eliet systeM C 



can see that module A computes a sequence of cumulative sums of packets 
taken from the system input stream X. Thus the 1i«haylor of C is to send out 
on Y a stream of cumulative sums of packets taken in pn X. We wish to 
prove that this is indeed the case; to do this, we sdiall make use of the 
fcirmal specif icaUon techniques that have beera developed here. 

We have previously given the external characteristic relations 
EXTa g ((X* X R«) X (S«)) and EXTq c ((S*) x (R« x Y")) for modules A and D. 
The relation EXTq is defined by 

((8), friY)) € EXTp <«> r « y « «, 
and EXTa is defined by 

((x,r), (8)) € EXTa <=> #s « min(#x, #r) and sCl] « x^i] + rCt] Vi ^ #s. 
The external specUTicaUoBK for the sysljnn C orb lil^tifial to those for the 
cumulative add^a: module C descrilwd in Chai^er 3; The extesmel characteristic 
relation EXT^ c ((X*) x (Y«)) is damned by 

((X), (y)) € EXTc <=> #y » #x and y[i3 * S xCJl vi ^ #y. 

In proving the correctness of system C, we must show^ that the system's 
internal characteristic relation INTc ^ precisely equ^ to EXTq. The following 



Vifl^«<^^»jf;i'-S«l.!fe 
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correctness th«oram for C lacon^HratM th« ddrinitio^^ WTc. 

Theorem: ((x), Cy|y;^:e<Tc <»> ((x), (y)) € INHc 

<•> 3 a complflrtc •aracttttoa MfUHHQt {(% $j*>} f(^ C stich that )<o * ^ '^d 

y„ • y. ^^»ii(fcr» >% ^^ y«» •» *tfia«d ^jr to ■ fx©. •©» r©. y©) *im1 

«™ « ^»^ (i?) %4>i. JU r*»^)^ 



Execution scquaaeaa £or syidiiM C waft f«rauiil]r iaf^Kt in Section 4.4. We 
reiterate here Uut In an execution aafu«aee {<$i. #,*)} for C, each system 
slice $j has the form ij > (Xj. tj, r^, y^), «id each aekaowled^ prefix $^ has 
the form $;■ ■ (Xj*. a*, fi*, y^). We are now ready to develop the correctness 
proof for system C. 

There are two lemmas we shall require that deal with t}ia 

preservation of a certain kind <^ ch«ftnel sute rtiationship as an execution 

sequence for the system CU taken to its limit. Lemma 1 is a basic property 

of least upper bounds of sequences of nattiral numbers. Lemma 2, which we 

call the Minimum Limit lemma, allows us to draw a t^nCficant conclusion 

about the ^se of certain Channel st^iMsu in ^a Umit state of an execution 

sequence. 

Lemma I s If {kj} aM (n^} are nondecrMSin^ seque^ies of natural numbers 
and' k, t^. w; f or Htti^mkA if- k * ttipfm ai^ #«« siPW^ t^itti* S «; 

fifSl^t fe» eai^ i ^mwi hav« lij jgi «r ^ m, i» * 4t^ l^lri^ bottiid for (%{^ Mid 
is therefore no less than the least upper iKmnd k-f.v '• 



Lemma Z t If {kj}, {n^ and {nj are nondecreasin^ sequences of natural 
numbers sufih thai ^ iJ»ifr»(MV tm m 1, tor 11^ W ila^{iO, Hr ^ «ip{m,}, 
n ■ •up{n,>, then k ■ ir^dn.n). 
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froofi VI: kj ^ mj, w by Umma 1. k ^ «. Similarly, It 1 n, so k < min(fh,n). 
We now show that strict inequality leads to 4 'colftt¥idictioil. If we liad 
k < min(m,n) then k < m and k < n, so ill: k < Bj, (o»tl>^wi5^ k > mi for each i 
would imply k > m) and 312: k < n,2. Now for i ■ max(il,12) we have 
k < m,, < m, and k < n,^ ^ Hj, so k < min(m„nj) » kj £ k. The result k < k Is a 
contradiction, which forcei k «mln(m,n). 

We now proceed with the main >ody of tl»^ correctness proof for C. 

Consistency proof : la this part of the proof, 9«p ,ii^ll use the abbreviation 
LSI to denote use of the Limit Si» I<eaw«. it Mit are ^vea a complete 
execution sequence as in the statement ^^ tfee Thfoam, iwre fBttst show that if 
X « Xo and y » y„. then ((x>, j(y)Ke EX% JIhis is ti»|»>if and only if 

i 

#y ■ #x and y[13 « 2 »<CJ3^^ r*y. 

so we shall verify both a size property a|xd an^ni^nt proi^rty of y„. By 
the input suspension property of an execution se^uen<f, Xj » x© * K for all i, 
so we must also have x„ ■ x. In particular, #x„ • >x. Now we have 
'/» - 8up{#yi> mi) 

« 8up{#8i''> (by EXTq) 

' #s„ {LSD 

« sup{#8i} (LSD 

■ 8up{rom(#Xi", #ri«^} <by EXTAia , , , 

■ min(8up{#Xj«>, uupiir,^}) (by the Minimum Limit Lemma) 
» min(#x«. #r„) (LSL). 

If #x„ ^ #r„, then we havw #y„ ■#x„» #x, which is the desired size 
property. Otherwise, f«> #r„ ^ #X„- and w» harw« 
#y„ ' #r„ ■ -^^ 

= sjp{#rj} (LSD 

= sup{i+#8i«} (by DCTq) 

« 1 -f SUp{#8i*) 

» 1 + #8„ (LSL) 

■ 1 + min(#x„, #ro,) (from the previous , chain of e<jualities!) 
= 1 + #r„ (by (*)), 

which can only be the case if #y„ » #r„ « *^ But (*) yi«ds • • #r„ <, #x„. 
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so #x„ « «o. T^i« ffl^ces |y„v« #x„ ■ «{ whic^ yieWs the desijwS size 
property* in this cai^ «« welL 

The ei^nettt /Gondttion is ^r^htforward to establish. We need to 
''show that ■ ""■"^' ' ''"■'■ ' ■■'*' "''^ ■' '■ ' 

Now for any k < #y„, the corollary to l&t impUes 31: k < #y,*. Since 
y,* PREFIX y„ and yf PSCFIX y.; we have^Llll « y*!^l^^^ yiCk]. 
We can now work with the particular system state indexed by i. We have: 
YiCk] » «i*£k3 (toySOo^ ^ ^ ' ' 

« xXk] -J-riEkl (siliOB ff mFVk^ 

= XjCk] t (0^i^]«:k] (BT EXTd)v . , , 
« Xi£k] + {0»yi)Ck] (by EXTq) 
« X(j[k3 + (iJeyjJtk] XSince Xo-kj). 
Thus we have yifk] ■Xe^kf* t8^)tkj/#hich yields the |^ 
(i; ^" ' y*[ll « x^ir and 

C2-) Vk>l: yi[kl» XoCk] tyitk-ri 

We now claim by induction that for all k^'i#yj, ■' 

yi[k]«2I ><oEJ3- 

The basis step is precisely equation (}} i^ve. land thir ihdti^tton step follows 
directly^ ^>^' .: .--^..i -r ■. ,;•:''>.■= v," "■■-'«' v^-..", ,:/>*- ..^.i;.- 

y.Ik] » Xo[k] ♦ y,[k-i] = XoCk] + V XoEJ] « X XoCJ]. 

in which the second equali^y^ th%Ji>4)^tive h}^[H9thMij» and follow^ from 
equation {Z) above. But this now gives us the result 

y„,[k] = y^k] = y XoCj], 

which is precisely the required element condition. This completes the 
consistency portion of the correctness proof for C. 

Note that the inductive argUMexit was iiecesiitated by the cyclic structure of 
the system C. In general, a cyclic system jpe^uires indttction of sou^e f^m in 
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order to establish that its external characteristic relation is satisfied by a 
complete execution sequence. 

For the synthesis portion of the proof, we need to construct an 
appropriate execution sequence for the system C given an input stream x and 
an output stream y. The sequences we construct here shall repeat in periods 
of four states, as we now show. 

Synthesis proof : Given streams x and y for which {(x), (y)) € EXTc we 
must realize the internal behavior of the system C by an appropriate 
execution sequence. Let k»#x (note that Jc may be infinite), and let "Q" 
denote the stream concatenation operatw. We prooKd to constrtiot an 
execution sequence $o,...,$j,... in which each system state $j is a 4-tuj>le 
(Xj, 6j, rj, yj) of dotted channel states. 
For each natural number i startizijg from zero, define 

(0) $4i « (X[l:1].x[1+l:k], y[l;1],. (09y)£i|13-y£Ur yW'V]-). 
For 1>0, this reduces to the case of the initial system state 

$0 » ("X, ., '^oy, .). 
For each natural number i st«p:tin£ from one, define 

r^; $4i.3 * (xCl:1-13'XC1:k3, y[l:1-13s (OSylCl:!]., y[l:1-l].), 

(2) $^i.2 » (x[l:13.x[1+l:k3, y[l:i-l3'yC13. (0«y)Cl:13-, yCl:i-l3-), and 

(3) $«i., ■ (XC 1 : 1 1'XE 1*i :k3, yC 1 : 1 3«. tWyHfl: lj^y[1 ]. ytl : 1 -1 3'y[ 1 3). 

The above formulas (0), (J), (2) and 0) define ate iiifiiiite sequence of 
system states $o,...,$j,... for which it is again both tedious and straightforward 
to verify that it is in fact a complete execution sequence for the system C. 
As before, the gory details are omitted here. 

We now make some observations about the sequence that we Just 
constructed. It is cyclic of period fo\xr «id corresponds to a particular order 
of system actions. In the states given by forniula ifil), a packet has just been 
absorbed by the A module from the R fihaiinel. Tlie states given ^y (2) 
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correspond to nio#tite A ptot^s^i a iH|d6tt prowt iiiput c^na^l X^ la these 
states, the value of this input packet is ^de4vt«w t^ li^k^i^^^ ^c«b41i^ tsken 
from R and the sum is seen as a newly'-generated padGet on channel S (not 
yet acknowled£pdl)v ^teaoted by the ".yCk]". In the states given by (3), 
module D has abMirbed a packet from channel S^ and this packet is newly 
visit. '^ in the states for the channels R md Y. The states given by (0) 
reflect packets output by th» system C having bten acknowledged by the 
outadde world. » ' 

If the size ;e of the input.. stream x 41 fiai^. then :th% »b«ve 
, se^MMicr- of .5^rst«»-stifcte»^-will mptm^mBmttM^^^%mm ^:,. AXt staXas tttna 
lliiai po4nf OS w^Wef aid to the limit state 

in which all tlwk iapat pwsi6«t ftawi- bfeteii^ pcti^stit ai&k ^ <»mplete response 
has been passed to the oatdd# world* Stnce the sequent of sutes is 
eventually constant in th^i oBai. th*^»«i^;U*J|*lGlM^ itIiiS 'W^petftln;^ terinihal 
state. In the castr of an* iftfiniie input s^fam x, the states in the infinite 
sequence are aU d^ttncl,, and ,tfeis teraninsl ^tl^ifi t^ti liBtU^ eve* tliiOugh it 
does not actt^JJj^oct^u within the s«<pieae^ , 

"This complete the correctness proqtf for the system C. . 

6.4. Proof for a^ m^fdeterounato systsm 

The cM-rectness proofs |^iveii in the two pi»ceding sections h«ve 
dealt with modules and systems that are explijjiUy d#erni^n#*ej Chir 
techniques, though, have been designed to handle ap^mdiPtwrmin^e behavior. 
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This section contains a correctness proof for the sample nondeterminate system 
S depictied in figure 6.4-1. 



X ! 



* J 



X_J 



5y*te«i s 

Inputs X( Integer) 

Internals U{ integer ), V( Integer) 

Submodules 

J "Inputs X, Vf OtJtputs U 
F inputs U; outputs V, Y 

InttiaTly^ ewptj? 



Figure 5.4-1: A sample nondeterminate system S 

This system, whose behavior was discussed in the last chapter, is composed 
from the nondeterminate ^^^^^^wge module J and th« fioliack modified first 
module ^, ^both of ^w^ch were described iir^ swettott 3;3. "^e nondeterminacy 
in the Systran's behavior arises from module J passing on its output channel U 
an arbitrarily chdsen iaterleaving of the packet str^lnnstakdn from the two 
input channels X and V. 

We can informally characterize the behavior of system S in response 
to an arbitrary input stream X. If there are no inputs on channel X, then 
nothing can be done, and the empty stream is (mtput on channel Y. 
Otherwise the first input value is taken by module i and eventually passed 
on channel U. This packet is output on Y, and * packet with value four 
greater than the given value is sent on V back to module J, where there is a 
"race" between it and the second input packet. If it win/ the race (gets 
processed and output by J first>, then it is output on Y and no further 
packets get sent out on V. If it loses, it finds itself in successive races with 
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success! va iAfut packets from X uiiUl it f iaally wins. ^ Thu#, tht .system S 
outputs ail g€ its iapot packets in the order ia W^^cji Jlox(j a^f rjf^'i^^y»^ as 
input, bat also ovtynts a pMrket with value four Kreater than the first input 
packet. This extra packet may i^pe^ in the output at any place after the 
first packet in the strwm. ( iMititow ptoceedl to prove that the synem S 
behaves precis«lr«*}Mil^ii^flaiibtf specif iait^S^iilS|«^^ 

We fepeat; the.^ definitions of the extwnal^ charactdristic relations 
EXTj s C(X»VV^ is (|^|^,<^,^S ((U«) X (V X Y«)) for the tuodules J 
and F. The relation iXTf is defined by 

((u). (v,y)) € Extp <•> y • u and #v » mifl(l,#u) «d v[l] ■ u[l] VI ^ #v. 

and. EXT^,is,j^Ef||nf«8l igf^ ^^t ...; .-:;.- .:>..^ .■^-^^^ : -iV..H - .^.oi^w JnB..^^. i./r'- 

Nme^ that .^Tj,^_j|i^ sat|^^^i^.|^ll|is(tiy' iithM^#U0!b#< ifoifiwaa* )(l?aAd. v «<Mx»i*nas 

hold if and only if both x and y are netpty or if V tun / , ataf i> iiri'il 

#y « 1 ♦ #x and yll] « x£l] and y is a aerge of x and (JCU*4>- 
We now state tl;» ei»rreGta^» thwrera f» our realization of the system S. , 

'izi^i^i^ (W.(y»'*E»rs '<*>"«x),^-Wc flits ^^'^" '''"'''' *^ ■'"" -"^•^■-'■ 

y„ » y. where Xg and y„ are defined by $o m h^^ Up. .Vft, y^)^ and 
In an exec^^tioii seqj^iVBe fm %9 ^|t<ipnf,|t,: jys|f» jilatesi are- wf <he *w 
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property that should be stated here is consistencyt 

((Xi®, Vi^), (Uj)) 6 EXTj and m^), {y„y)) c EXTp for all 1. 

There are a few interesting properties relating to least upper bounds' 
and execution sequences which we shall establish before going into the actual 
details of the correctness proof. These resul^ «re aontained in the fbllowiiig 
lemmas. 

The following lemnu U cailQA the 9ma Mmi^ , lemma and asserts 

that the least upper bound of the ttrin%vise sum of iwo sequences is the sum 

of the least upper bounds of these t"W) segtwneis. The Sum Limit Lemma 

will be used in the consisteeacy part of the correctae3s pi©of for system S in 

the same way the Mininium Uniit Lei»ma wa« used in the ©orrec^ proof 

for system C in the precaiing section. 

Lemma: If {xj, {yj are nondecreasing Mqu«K:e» e^ lUituxal numl^rs for 
which X » 8up{Xi) and y » 8up{yi), and if we define the sequence {s,> by 
Sj ■ Xj'fy^ for each i, then sup{Sj} = x+y. 

Proof: It 3kl Vi>kl: Xi=xm. then xax^i. If 3k2 V1>k2: Yi'v^, tl^en y-yhj. If 
both of thes» AoW, then for k • max<kl,kZ)#e have 

i>k «> Sj » x,+yi - x^+yi, = Sh, so ^ 
sup{Si} » Sk = Xfc+yfc « Xk,+yk2 a x+y. 
Otherwise, {Xj} and (yj) are not both eventually consti&t, so at least one of 
these two sequence* must increase without , boru»l. If it is (x,} that is 
unbounded, tlien xa«o, which gives us 

SUp{Sj} « 8Up{Xi+y,} > SUP{X,} » X = -o » «o+y a x+y. 

This completes the proof. 

Before we get into the actual cerrefstness proof /tr system £, there 
is one more preliminary r^ult that needs to^l^ establiished. Suisse a packet 
system is in a state for which all packets have already been acknowledged. 
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(In terms of "dot aotattoii,'' iU th« d9t« for j^Is «iai»^^ 

ri£ht-han4 «&d-^ tlMtr Jtmini.) ^Ute MPei&14"2lk» 10 iHCif vfE^m this that the 

system is in a limit at«te, i.«. Ium fiaiihed its ultimate response U> the 

presented input. la other vmrds^ 

iUemmi? tt $i » ij* ia «i execution sequence (<$(, ^*>) for a i;iven system. 

Unfortunately, this it not Always true. Th«« tte drcusistanMS under which 
the ndtiiaa cf "ttlmua^mpimiiiff is iilt^yiil aiiiiid^v €etetider 1 module with 
one isni^t ^lanairt^ «a# iom «aitful ^e&iuiMir tiid'«ii»fOil thif Hf It is itfesestfded 
the input jtieaa m, then ettlfir «r tlie fwl^ ift^i^it eitwims <fi> or <i;c) 
^ cohsfUti^es m^ ^inmnmaum, ^ . If ^-IHe -^nmtia^iifmi^'^ ^kit . With ^^attve ' b. 
then,.it..m«r^cbe mtxtJ^maHi m mi>ii|' -^^F^^fiijidMlii^^b -fM illicit /fiieiLit^^e. 
But it cannot be deiermiaed whether «r^«ita4lii^^^iiiti»rt c will coi&e^t 
sub8e«tieallyr iei^lMM !• JW^ wny » «iU %llifn lito \Jlb6diili h«t yi<il4Ui 4ts 
ultittiate ouii^t, j.e. flaiiieed respoadini le iu ia]^t. lliis kind of anomaly 
occurs if a module Alavn two dUit^Mt ^Umate trntp^t . ^q^lAaf^ to; |^« 
given input i^ice, and «m 9f <lMii 9ii||Mi< «licii ^« « i^ 
we can rule out sudi si«liali«ii^^eii "the cond^dbn stated ebove will be 
satisfied. , Accordl^^, we define a .^«|^ule^ ^, !•, ^ict 4f t itj5.,|>pJi^^fJor 
prc^ibiu 4ne;£0«tp«t sllfit tkdmbi^qf e^Nftae df «&olh«t «f «h^W is eome 
input slice to whkh Um two gi^wn outyut ^mm are disti^t valid responses. 
Formally, we have r'j:^:^ (■-,■ 

DerniMioR* A awdlM U U mm if wHtaiifer "wto live t$yn; 1^) c EXT^ 



- 106 - 

All determinate modules are obviously strict, and any module for wl^ich the 

sizes of the output streams are functionally d^m^ed IVom the inputs will 

also be strict. This includes the nondeterminate merge module J. We now 

state the corrected lemmd. 

Lemmai If all modutes in system S^ «:(B strict, and if $j b $^a in an 
execution sequence {<$i, $j")} for SYS, then $. » «i^'" $-, • sup {$:«}. 

PREFIX 

Proof: For any possible system state <$j,,, $^,*> that can follow the given 
state J, we must have $j« PREFIX $j,,* PREFIX $j ■ $,*, which forces 

(V $j" - $i,,«. 

Also, $,« $j« PREFIX $j,,« PREFIX $j,„ so 

(2) $j PREFIX $j,,. 

Now equation (1) implies that for each module M in the system, its input 
shce remains unchanged between state / and state J+J, Equation Ca; implies 
that M's output slice at state J is a prefix of W's output slice at state J*l. 
But M is strict, so its output slices at these two states must be equal. Since 
this holds for all modules in the system simultaneously, we must have 
$j » $j.,. thus no successor state to ; may differ from it, so the state at J 
must be a limit state. This establishes the desired resultl 

We call the above lemma tha Cutoff Lemma because it "cuts of F an execution 
sequence once all packets are acknowledged. 

We now proceed with the main body of thes correct^ss proolT for 
the system S. We must prove that the external relation EXTs coincides with 
the internal velation INTs. The proof divides into the two usual portions. 

Consistency proof : Given a complete execution ^ii^ence {<$i, $i^)) for S. let 
X « Xq and y « y«. To show ((x), (y)) <e EXtj, there are two cases to 
consider. If x=€, then the initial state must be giyen by 

(Xq. ^). Yo» Yo) ■ (•.•.•»•), so by the Cutoff Lemma ,,w^ have y« ^y© » e. 
Thus EXTs ^s always satisfied in this case. Otherwise #x > 1, and we have 
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the following chain of equalities for the size condition} 

= tu^, (LSI) 

* s"up{#Ui} (,LSL) 

= sup{#x,3 t #7(3) (by EXTj) 

Now we also have 

#v„ = sup{#Vi} (iSI) ^^ 

= sup{min(l,#Ui*)} (by DCTf) 

= min(l,8up{#Ui*}) (by the Mia^uia Wmit |^|uaa) 

s min(l,#u„) (iSi). 
Now by EXTj, #Uo * #Xo +^ #Vo = #Xo ♦ > Q. Thus #u« ^ #Mo > 1. so #v^ » 1 
dnd #y = 1 + #x, which is the required siza condition. 

To eistablish the element condition, we must show that y|y ■ xCl] an4 y is a 
merge of x and <xCi3+4>. We first note that Vq* » f (by the. initial ,5^te 
property) and v„ »« € (as proved above), sp there must be, a state i for whiph 
Vj® = € and Vj,,* s« e. Now by the connection ptoperty, v^^j* PREFIX Vj, so 
V, ,t e, which by EXT? implies Uj* »« €. But by E^Tj, a^ long as Vj^ » ,£ we 
have u, B Xj® PREFIX X. Then since Uj* * c and Uj* PREFIX Uj, we must have 
u,^[13 = u,[i] ' x[l]. Now for any n ^ i, Uj« PREFIX u„* so u„»[lj « xlU', 
thus, by using EXT^ again we obtain YnCii ■ u„*Cl] « x[l]. Since this holds 
for all n > i, we must have /^[l] » xflji •» q 

What is left to show is that y„ is a merge of x and <x[l]+4>. We have 
already shovwTt that there is a State! for which Uj*t 11 "XCd. Then by EXTp 
we haveiVf* <xCl]«^). Jfow by comiHietefiitss «f ihe^joxcatibn a^ thiWe 

must be a state j for which Xj S06SEQ x* an* . V: SUBSEQ v.®. Since 
x,^ PREFIX Xj » X = Xj and since #v,« ^ #v^ « l for all ^, this means that for 
the J we just chose we must have x ■ Xj* and v„ « v^* ■ <X[l]+4>. But now 
by EXTj, u, must be a merjge of Xj* and vj*, which means u; is a merge of x 
and v„ = <X[l]+4>. Now we use the completeness property again: given J, 
there must be a stikte k for which Uj SUBSEQ u^*. By EXTp, y^ « u^*; and by 
another use of comiileteness there is a state m such that y^ SUBSEQ y^^^. But 
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then y„* PREFIX y„, and by tracing a transitive ch^in of s.ubseq»ences and 
prefixes we obtain u^ SUBSEQ y„ SUBSEQ y^, Finally, sii^cf X an4 <?<I1>'«> occur 
in Uj as disjoint subsequences, they must occur in y,^ a^ disjoint |ubsequences. 
But X » x„ and <x[l]+4> » v„ represent all the p^cketsi that, can ultimately be 
passed on channels X and V, so all the packets that can ultimately be passed 
on channel U are contained in Uj. Similarly, , all the packets that can 
ultimately be passed on channel Y are contained in y^. Thus y is a mer^e of 
X and <x[ 1 ]+4>, satisfying EXTg, which completes the consistency portion of 
the proof. 

The element condition was extremely difficult to verify, because we 
had to go tracing the progress of Individual pjackeis through the system. 
There seems to be no readily available method to simplify this proof, despite 
the elementary system structure. 

For the synthesis part of the proof, if the systein's input and output 
streams are non trivial, then the execution seqi^9©c^ v^rtll repeat in periods of 
three states. The construction i» now given.; 

Synthesis urmf: Given ((x), (y)) e ©(Tj, w» must consttuct a complete 
execution sequence to realize this behavtior of S Wtemalty. The execution 
sequence will be of the form $0,..,^$),^.. l^^jj^hich t^ agr^tem state $, is a 
4-tuple (Xj, Uj, Vj, y^) of dotted channel statf|S. If x « c^ thejn wa. must have 
y = €, and the required execution s^i^nce will, ^ye aU»t#tes identical to 
(•, •, •, •). Otherwise, #x will be some k>0 (we allow the possibility of 
k««o). In this case, y must be of size iy ■ 1^1. TlMVe must ^Iso be some 
finite index m such that I < m < k+l and yfrqj » xClJt4. Mo^epver, the 
concatenation of the remaining elements of y must satisfy 

yll:ro-l] 9 ytnw-1%+1] » X,' 
which means that 

y ■ X[l:m-1] 9 x[l]+4 e X[m:k]. 
(We are abusing notation here to let "@" concatenate packets with streams). 
We now construct our «xecution sequ^ce fttr x iai& y. Tiie streatti v is 
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defined "by V a <ktl]+4). 

For each natural number i from zero through m-l inclusive, define 

(A0)'$3, • (Xtl:1].XCl+i:kL xtl:l]., .v[l:1], x[l:1].). 
When i*0, this x^Uces to the case of the initial system sute 

j^o ■ (•><. *. •. •). 
For each natural number i from one through m-l inclusive, define 

(A2) $3i.2 • (Xtl:i1»xt1+l:k], x[l:1-l].xCll, .vpti], x[l;i-l].) and 
(A2) $3,., « (XClilJ-xri+hk"!, x[l:1]., .VCl:lI, xtl:i-l].xt1]). 
We now define the specific system states 

(iJ2; $3,,^ « (x£l:ffl-l>)<Cin;k]. X£l:«-y«yCia*,>?U3%XlU^^ 
(B2) $3„., ■ (x[l:m-13.xCffl:k3, x[l:m-13«v[13., v[l3., X[l:m-13»vCl3), and 
ffif^l $3;„ *<xti:m^l3'XfmiKl, XfHli»-ll9vttf , v^l"^, )<ti:in-i3»vtl3^)/ 
Finiklly, Jo^. each a«|ural numlMsr r^ BHhi, (3wr4ne '^ 

(CI) $3i.2 ■ (xt 1:1-1 3»xCl:k3, x[l:m-13»vp3f^[«:1-23.xCl-lJl» ypj.^ ^ 

x[l:Bi-13#v[l39x£m:1-2i.), 
(02; $31.1 * (Xp|1-13.^l:k3^ xll:»-13^{yfXl#4*?l3*. ^Ir,, 

x[l:ra-13fv[l3ixCm:1-Z3.xCl*13), and 
(CO) $^i * t>«£l:i-I3«><nJk3, xri:«^lli*[i3^fm:'(-iii., vti)', 

X[ 1 ua-1 JfVli:;^)^ mf ♦♦t-^iti? 
When i > k+1, formula (CO) generates the system state 

$3i « ix.^^,4 :«'-l ^U^m^i*^*^ *C^]?% #1 1 ilii^l»vC 1 |tt^m:k|»3tk. ^ : 
which is a limit, stai^fCMf agrstemS. 

The above^ ^tt <a f^Hmufas iaiWates a #eU^i^i^ Infinite sequence of 
system ^taf«s %,...,$[.... ffer wliieH It la ^eei^iifi &Mi|htt^ag to Verify 
thM tt is ^ eewirte^ eljteatiofe s«4^^ 

The form M^iit we have Just gtveii require. «ome t^mmeiit in order to 
be properly undejrstood. The exWution sequence constructed above consists of 
three parts (A), (B) md (C). Part {4^ ^rr^i^mls to the first m-l paclcets 
from X being passed through the system and out on Y. In tft# sii^ gi^«*ii tiy 
formula (At), n&odule J has received a |)acket from X and is passiiig it ouvoa 
chani^el U, In the states given l^ lormulaC^ie^ -module F has ^sMised %k4s 
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packet and is passing it out on channel Y. For the first packet F receives, it 
also sends out on channel V the value of this packet incremented by 4. The 
states given by (AO) correspond to the outdde world receiving an output 
packet and acknowledginu it. Part fB> handlM the processrni of the one 
packet passed on clianiirt V. In state fflO^tfeii packet U absorbed by J and 
passed on lit in iM^ (B2)^ it it reeeive<t by P alii psa^sed oUt on Y; and in 
state CBO>. it is redwived and «ckBovi»liMieed by the <n^ Part (C) 

treats tha ff»cesstng of thrtemtintoi input wl^its froA the in- th on^ the 
states given by tmnta»Bi{Cl^i{C2ytM(C&)lS^ to those 

given by (A!;, (42^ and (ilO^i 

The proof of correctness for the nondeterminate system S is now 
complete. We shall talk about more general proof techniques in the next 
section. 

6.6. Proving correotn«M of mo.r«09loiaftxp«cH«t systems 



So far in this chapter, we have given correctness proofs for three 
particular packet systems. All three systems are rather simple in both 
behavior and structure, but a lot of machinery has to be manipulated in order 
to verify them. There is a significant problem that arises in considering how 
to apply the techniques that have been dev<^oped here to larger, more useful 
systems. As systems increase iii cofriplexlty, their formal descriptions and 
correctness proofs grow more complex at a much f«*ft|!r rate. Proving the 
correctness of packet systems that are substant^Wy 3i<W4« than. the toy-sized 
ones we treated may thus turn out so coniplicated ,|fi to be of dubious 
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practicality. The only remedy for this kind of situation is to somehow reduce 
the complexity of packet systems as they are seen from within correctness 
proofs. We now address this issue. 

Much of the complexity i% our ^rreetnes$. proofs cxsnes from 
setting , up execution seq ueiwes. Kc^e\nar, jemfm^^m ^t&mwaaea ware 
introduced into our model to .haiuUe one i^rticulir iCbasactaristIc of L^$rs(«in 
structure, which is cyclic ljiterc^»ai9st,i©]| ,4eW8d«wfi88i. When a system's 
structure is acyclic, Us in tMnalsj^fii^^Uw^j^^ smch mo)-e 

simply than through «?ce<;iUiQn |»Qtt««^a.i ,1A^#r«i|^ the iat^ital 

characteristic relation of an acyclic system m^^ SMiilgM^ ai mi , ^mopvme 
functional or relational composition of the external charfcteristip, relations of 
the component modules. Consider, for example, the system, SY^,illustr^teNi in 
figure 5.6-1. 
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Figure 5.5-1: An acyclic packet s^^stew. 

Suppose that the external specifications for the modules A, B and C are given 
by the respective characteriitic relations EKT^, EXt^ and tJ^. Let us also 
assume tliat the moHule A is determinate, which makes the relation EXf^ 
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functional over ((W«) x (P« x Q»)). Then there are two stream functions. 
apt W« •* P« and aqt W« - Q«, which together characterize the behavior of 
module A. The internal characteristic relation INTsvs for system SYS is given 
by the composition 

((w,x), (y^)) € INTsjvs <«> 3rV ((x,a^(w)), (r^)) « D<Tc fc ((ap(w).r), (y)) € EXTb- 
This compositional characterization relieves us of the need to go into the 
complications of execution sequences with the acyclic system SYS. 

We can give a general formulation of how the interjial 
specifications of any acyclic packet system can be cj^aracterizftd as an 
appropriate composition of the external characteristic relations of the 
component modules. Our formulation has one condition on iti the external 
characteristic relations of the component modules must all be continuous. 
Continuity Was defined in the preceding chapter. The formulation is 
contained in the statement of the following theorem: 

Theorefn: If an acyclic system SYS has tiie strasctund description 
System SYS 
- Inputt »(.--),..., X(^^)^ 

outputs Y( — ) Z( — ) 

Internal* »<—), ...,V(--*) 
Submodules 

M Inputs P, ..., Q; outputs R, ..., S 



Initiany U^uO>, ..., V<ve>, Y<y0>.i .v., Z<2e>, 
and if for each component module M the external chartctMistjkC relation P<Tm 
is continubtis, then 

((w^..^), (y^..^)) € rNTsvs <■> 3 u^..,v v M ((p,...,q). (r,...,8)) € EXTm. 
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One has to examine the statenieiit of |he theofSia c«iief\|ll^ ia order 
to observe that it in fact characterizes INTgys as a,9^m»psi|i^ of the ex^teynal 
characteristic relations EXTm- The crucial ^ii|t is the exiateatial 
quantification of the channel streams iv..,v through which, the, EXTj^». r^la^ns 
are composed. Proving the theore^ r^Uires two dirjairtlojW/ of atjuroeat. The 
"left to right" implication asserts that given a oom|^ete eaMcutiq^a ,seijvwBnce 
realizing an instance of the hehavior of SYS»,thefeiar(i a^irropriatei, internal 
channel streams connecting the input to the output in a manner satisfying all 
the EXTm relations. This will be proved by using the Limit Existence 
Theorem and the continuity of the tXt^ Note that this part of the proof 
does not use the assumption that the system structure is acyclic. 

The reverse implication asserts that anything ri^ilised as the. given. co»po«itipn 
of the EXTm must also be realized by a com.ylete e^fecution sequence for S^S. 
This direction of proof is more difficult, i^nd we need three preliminary 
lemmas in order to prove it. Lemma 1 is a simple property of insertion 
mappings that re»li«e streaaa as subi^queao* <^ otlrtfr sireiams. Leittma E 
asserts that a subsequence relation between s«rfiffi» i# unaffected by the 
presence or absence of certain packets in th» stlwaot* L^nma 3 asserts that 
in producing execution sequences for the proof of the theorem, one can 
always find a sequence of acknowledgwl ptttixes so as to assure completeness. 
We now proceed with the lemmas and the proof of the theorem. 

Lemma 1 : If / is any insertion, then f(t) I 1 for all i in the domain of /. 

Proof! The result is obviously true for 1 « 1. Inductively, if vfB assujmejt 
true for 1 ■ m, then we have f(m+l) > f(ra) ^ m, wjHich implies t^Xm+l.^ ^ ml. 
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Lemma 2 r If x SUISEQ y and if there is a m ^ *x such that 
x[l:m-l] « y[l:m-l] and Xfrn] •• y[m], then x StlBSEQ y', where 
y = y[l:m-r] 9 y[iiH-l:#y]. 

Proof t For any insertion f of x into y, defUie the function S pY 

8(1) « // 1 < IB tAen 1 eise f(l). 
£ is an insertion of x into y which is th$ identity mapsin^ over the first m-1 
values. By Lemma 1, Q(ra) ^ ra, but yCmJ »< x[i] rul^ out fl(in) * m. We thus 
have both g(ffl-l) ■ m-l and o(ffl) > m, which imply that in is n0 in the range 
of g. This fact, together yrtth the fact that yCU ■ y'C1-U V1>m, makes the 
function h defined by 

h(i) ■ i/ 1 <Bi tAeiiflCD eise 8(1 )-l 
an insertion of x into y', which proves the lemnji^ 

Lemma 3t If {c^} is a «equence of streams Aich that ¥t: Cj SUS^Q €,.(, and if 
c * sm (C(} is uizi^uei^ defined^ t^n there is a rnqx^nce (c,^) of streams 

such that VI: C;" PREFIX Cj and Vi: Cj^ PReplX Cj,,** and sup {#c*} » #C. 

Proof ' . For each i we shall let Cr be the longest prefix of c^ that is also a 
prefix of all the Cj following ij^. More piec^sely/ let 

Bj » 8Up {n ^ #0;: CjEl:}l3 » CjElJUl VJ>1} 

and Cj* » CiCl:ji%3. 

Clearly, {oij} is nondeCreasing, so Cj® PREFIX %,*imdCfc^i PREFIX «( for all i. If 
m p »up {m,} « sup{#Cj*}, we must jsaiow « « #c» Sin«i it is cl«ar that ra < #c, 
this will be proved by contradiction; \^re shall assume m < #c and show that 
the sequence |cj has another least upperihov^iKl under SlfftSEQ besides q. 

If m < #c, then there is some i for which % > m and «fc, > m. We 
shall claim that the extetence of this /forces the existence of a stream cvc 
such that C SUBSEQ c and y4: C^ SUBSEQ CV C0JB^r#dicU^ |h« Uhique definition 
of c « sup (Cj). First observe that 

SUBSEQ 

(1) CjClim] »CkCl:»3 (yi,lt>1) ■ cXl:m]. 

Now take any J>1; sinpe Cj SUBSEQ Cj (byrtraA^fivity of SUBSEQ) we have 
#Cj > #Cj > m. We first Claim that 

(2) C,Cl:m] PREFIX C. 

If this is not true, then there must be some n < m for Which 
Ci[l:n-li s c[l:n-l] and Cj[n3 x c[n]. Buit then I<emma 2 implies that 
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C, SUBSEQ C, wh«^« C ■cClm-U 9jCCn*l:#c]. $^i|fsf the ; valuei ©£ -n^a** 
independent of p^r choiqf; qt j>1 (by eq^^tj^an ^^, th^ jttaH«^$ i:'f «i: ui^ger 
bound for all the C^ beyond c^ under SUBSEQ, end 4^«M|,,$ur.«UrJthe jC^. But 
C » c and C SUBSEQ c, which makes C a lumx upper bound than c^ giving us 
the desired <i($ntira4l4bln. Thii'^i*lii*i*i* iqiiaiioa fi;V '"'*' - — 

There are ttow '^m c^i6M to Wander, 'it- CiCm-fl] n cCnn-l]. then 
since 6qu«ibttra)tm^test|tl:il»f6Ctsiii;'^ "feai api4j^''limma^t to okifln 
:Cj SUBSEQ C',"wli^*'C ^i^tifi ctn*t^^^f ■%k^r^Ma6^ C^if •'km^X^'skd 
since m-H> i(i * ij, there mtist exist a k > j'jfci^ l^^iiui'\Cm♦iyycfn^ft3^^^ 
'Ck[l:W]"» C;|l:«} -cCl:"!], si^ as'ik 'tfee flfkt^"^ ^'llitft"^aW'<^'sUB^Q C'. 
The transitivity of SU8S€Q then yields u.v. ^ .... ^ 

. ^ ' * ^ ^ ' • 'Cj S08iEQ''4" ^8Se()^- ' ^ "" 
In either case we must ha^4 e, iHliSl(JF G^^^I^^K makM t^ upper bound for 
all the €j ixiid0 SiASEQi StttuT SMS£^eiowaitehi»«gaftn?^p^(«M«s tiist MtSl^d 
contcadietioh, Th«si it U iapdssiMM tct >^al«* 'wfs.'^-fcsi.M Mi ^> n&m hn^e 

m « 8Up..{<fci*|,,|:j^^,;'na# eom^pM^othe pr(^. : ,.. .. v^ .: - ^-, ,- 



Proof of ihe- tJHeofew <«»>ia ^^h thi^ half if^ t!4*^^i*dr, w^'^So'libt t^^^e 
assumption that SYS is a^cU«; Sy#oiN^,.wik|^fl^^)^ c^tN%^ tftis" irkiibs 
there is a comple«a «ae«ctt«ioii iwquMtM Tor S^ 'I^NiUii^ Ihe slice (y,...^) as an 
ultimate output response to the Ul^af.%lfie»^fw,.»p(}. '■''''' 

is fiiveiL by »^» $k,H whe» $« » tuP -ft^ Waliiitt/^fc* ib^wHf fia-i^e 
the form (y*^„i^to,%«f^-'^mt f^>^^^^ Wi't^lt* 1S«tiiy„...;y^^af« the d^ii*d 
u V ior WMcli #^ th^ ton^^ci^t^^ lMki4elbdi^ ^att^s 

F&r each labdule 14 With inptit cAtatLi^'^^.^J[i ^d Output ch«Jtttlls 
f9^..MSv'the'lonoii«^4&t«e']HNi|iniMi^''i^ ■' '■'■^^-- '■ '"■^- -''^^- 

(2| (ri»..,.ep SJg^Q i[*«^,i.^l)i*«wir 

Applying the Limit Existence Theorem to these Mfsttr, i«« hSire 
(4) (p....,q) «^^ji[>^i C(WS>....q,«)}, and 

SO by cdmttnufty'of M we luve ttp,...,q), fr,...i*1J e DCtM/wii'ick is the desired 
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result. 

E129L 9L !4s t.heorem «»): Suppose we are given a stream for each channel 
of SYS such that the external characteristic relat^ion P<T),| of each module M is 
satisfied. We need to construct an appropriate cpiiij)iete execution sequence 
for SYS, If SYS has acyclic structure, then we may order its channels 
Cl,...,Cn so that if there is a path from CI to C2 through the system, then 
CI must come before C2 in the ordering. For each channel C in turn, taken 
according to this ordering, we must construct a sequenqe{<c,,Ci^>} of channel 
states such that the limit state for C is <c,C>, where c is the given stream for 
C. 

Each channel C is either a system laput ch«Binel or else there is a 
module M for which C is an output channel. In the former case, we define 
<C,.C,^> « <C, C[1:13>, where C is the given stream for channel C. From this, it 
must follow that si^ {<«i.Cj*>) • <C,C>. In the Utter case, all the input 

PRECEDES 

channels of module M have already had appropriiate channel a^quences 
constructed, so we already have a sequence of acknowledged prefixes of input 
slices for M, ordered by the PREFIX relation and with a unique l.u.b. under 
PREFIX. Since the given stream c for channel C is irelated to this unique limit 
through EXTm, by continuity of M there exists a sequence {c,} of channel 
streams for C such that q SUBSEO Cj,, for all i and sucK that c » sup {c,} is 

SUBSEQ 

uniquely defined. Moreover, EXTm is satisfied at each state i. By Lemma 3, 
then, we may define the sequence (c,^} such that for all i.Cj* PREFIX c. and 
Cj® PREFIX Cj,,*, and such that sup {#Ci^> = #c. Thus c » sup {C:^}, so in 

PREFIX 

this case, too, we have sup {(Cj.Ci®)} * (c,c>. 

PRECEDES 

In this way we construct for each channel a iswjuence of channel 
states for which the given channel stream is the limit. This gives us a 
sequence of system states satisfying all the requirements for a complete 
execution sequence except two: the initial state property and the connection 
property. The initial state property is In a sea^ trivial, since given any 
system SYS there is a corresponding system SY$' consisting of matching 
modules connected in the same way such that the behavior of SYS' is 
identical to that of SYS internally as Weill as extiernally, and such that the 
initial state of SYS' Is empty, with $q » {s,...,%l SYS' is ^easy to describes Its 
specifications are Identical to those of SYS except for an empty Initial state 
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and for ext^rnM eh«aet«slstic t^aAiiCsm dcCineii by 

Th» ast^ms&s^ 'IfmpesfS^ ^sies ism MIA f^-tii#--a w t ai m er amstrmns^ 

"above, since' ^i* t»/'il«r" a*«^a4l3r ''^'']^»^ niay 

inWfjkHate » cftAffiiii^ ami*' (le^^^e;*^ .B«$i*iiit ^^^*^^^ %»£p**«'^ «).■ 'thal^'the 

connectuai .p^ifer^"l» aili^iifr ' if #» 'i^lB*^^'* * 0^;^ ami^ ' Ci»:^ii; we 

have ■ c,^ mrisT'd^v ' '(^^n^ e^ ?mn i^{^,''!%mm^''^^^ :<|i. 

C** PREFIX Cj att« e;,,* PRIFUl'di'. lii i^to way^ tie' Wfairei execution 

sequence U^ e0lu$sxse$ei§ ^/t' iimiei^si''^ s^^mim ^i^'^^siww^ eiich pair 

of ' existing. ss<sie». sii^^ f& 'oamiiii!^ ^ pa^. 

With proiier use <« «iito ^tdoeeim 'MV' <»i» ^RMttll^ 9bd^0it i^o»«ctnes5 proofs, 
since aeydic paeUMf i^irsirait ou^ te qN^|ed 9ia& tN»lft«4 sueti m^« easUy 

The hwr«»)liciA stsuetiici^ of i^i^iai w^^teoM^ti^m^ \m %9 v^y 
aeycIiC simpffif icirtt«itt leel^i^lieiF «9&tL «a Wlfl^adiR of j^siM«as with directed 
cycles. Since- a jMcitt^ a^mt/m, i»' m- int9Si«||||»ee^^^,.?f ,4xa|'pO|na»t. a|vc^ 
any pojttitiit of at^flfB^nlD wai^ tt» tatifi vi^w«i^ ac^^ » ^pstiii. ^fl«i »icI^«^^^M*m 
S shown in flj^e &.§»Z haa a iSa^ly doaplex' stfwlure, inclQgiiii^ a (fire^ted 
cycle between SwiiM«« F, G and H. We can ^«rtly sigiplify this structure 
for proof v&xvemm hy .w<^gaiUi^<.-t^'^,,m^tl^ii^y.^r$^^ q^ndul^ A, Br 

C, D an* E a» m paeHit ^stemSl (figaw mS-S^ ^lw» systifli^Sl' Is Stfydic 
and easy to sfeeifyj its internal characteristic j^i^^ti^n l^f^s,^ is an wp^ro^pri^te 
composi$io» of i^l^vaiMffmAJsaimcmi&^sm'i^^ Ar ^t^ D 

and E. Eut the |«ixid^pies. of i^ket communication architecture dllow us to 
treat system SI at « JOOttole whcNee ext«Eii#l cittir^alwM^c relation P(1^i is 
preckwliy «*%,. T&a*^ Diro tmx mtmat «« ^iryeAN«» or its«*itf^' S to^^^^ 
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Figure 5.5-2: A more complex systiM structure. 
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Figure 5. 5-3: Five modules forming a system $1 within S. 
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Figure &.S'4: Simplified structur* for system S. 
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shown in figure 5.5-4. For the system S, our acyclic simplification technique 
has reduced the structural complexity by one-half. 

It is possible to carry our technique further by treating the portion 
of system S consisting of modules F, G and H as a system S2 (figure 6.5-5). 




Figure 5.5-5: A second system S2 within S. 

This manipulation simplifies the structure of system S enormously, reducing it 
to what is shown in figure 5.5-6. 
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Figure 5.5-6: Further simplified structure for system S. 

This structure is acyclic and therefore simple to characterize. It may seem 
that we have reduced our proof to the point of triviality, but this is not the 
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case. The only way to determtiie the spefetflcatlofts for the cyclic system S2 
is throiigh execution sequences; thus, the proof for system S has been 
essentially reduced to a characterization aaid neorrectil^ pro<jf for the new 
system S2. For a general system, structural composition techniques such as 
these can greatly reduce the complexity of correctness proofs, but in the 
presence of directed cycles there still is no way to avoid the intricacies of 
execution sequences. 

We have Just seen how the structvirie, of * packet system can be 
simplified for proof purposes by "coll^ing" portioii^, Qf the sy^em into 
modules. Using this t«;hniq\ie together witli 41^ theory© we pr5>v«d about 
acyclic systems can greatly i^educe the copplaxily of jacket system 
verification. 

In this chapter, we have shown ho^ our model for specifying 
packet systems can be applied to proving them c^rect. There is no question 
that the correctness proofs presented here ar<^ complicated, even for small 
systems. However, part of the complexit;^ fo^in4 in these proofs was 
contained in the development of a basic jS«|t of,, Ifmmas . that can serve as 
building blocks for other jpipofs. There aw a numbflo of ««>proaches to 
generalizing the proof techniques that have been presented |her% and we will 
describe some of them la the ni^t chapter. 
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CHAPTER 6: CONCLUSIONS 

6.1. Reviaw of the rMearch 

The basic task of this research has been the development of a 
methodology for formally describing the behavior of packet communication 
systems. The work here was motivated by the notable difficulty of designing 
computer systems and, more specifically, in making sure that they act 
correctly. Consequently, one of the major goals underlying the specification 
techniques presented here has been suitability for formal verification of 
system correctness. We have taken a particular view of systems: hardware 
systems composed by interconnecting smaller units. The research presented 
here has been a first attempt to formally describe and verify the behavior of 
systems viewed in this way. 

The class of packet communication systems is distinguished by a 
number of desirable system structuring properties that facilitate description 
and verification. Our approach to specification depends on the properties of 
modularity, hierarchy, speed independence and uniformity of interface. Until 
now^, the principal benefits under which packet systems have been promoted 
have concerned the fact that the asynchronous, concurrent operation of packet 
systems allows for faster system performance by allowing for more efficient 
scheduling of the available computational resources. This document has, for 
the first time, identified those properties of packet communication architecture 
which make packet systems well-structured and amenable to formal 
description. Appropriate use of the concepts of structured system design 
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makM it easier to desi^ and understeid ^sterns even without formal 
verification; with formal jaeOLOds, system aarrectness can be mathematically 
demonstrated as well. 

Systems may be viewed externally, through their interaction with 
the outside world, or internally, in tenns of their composition from sn^aller 
components. From an external point of view, the behavior of a packet system 
is the rela^onship between sHumOM of padketl tranonitted on the system's 
input and output c&aiiiMs, The dtaotatiosil ipprbich we have talcen towards 
externsA specificatirais for packet tysumi is elegant precisely because it gives 
direct ma^ematleid ^^q^tttnion to thtttil aa«itt<>n(»s ^ packets; the formal 
descriptimis that omstitttte our exteraiil iq^e^iCatidns contai^ no extran^us 
ncrtlone thet would only senra to occlli&i the ralevaat beliaidoral properties. 
Thus, the use of ttafhematical operations on streams provides an appropriate 
lev^ of abetraetion to aid in the f oMnal desarii^on ot system behavior. 

Denotational specifications may be provided for modules at all the 
hierarchical levels of abstraction in a packet system. This gives a complete 
formal description of the behavior of the system and all the component 
modules in it, from the top level down to the primitive modules at the 
bottom. In order to verify the system, it must be shown that at each level 
the given modules are interconnected so as to perform the correct function. 
Because of the great difficulties involved in providing a denotational 
characterization for the behavior of an intwrconnection of nohdeterminate 
modules, to operational approach tb system verilicaticm was chosen. There is 
no existing methodokgy for f<»mally descxibl^ conipositions of either 
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hardware or s^twar* sy^emji, lat aloa* .v«rifyia& th«|i|i. Wit}i the iM^n of 
execution sequenoes, the behavtor of a ly^^ can .^ fp^^^sstiA 4» |<^||^ of 
the behavior of its cmponent modules and the vn^ they i«ffe sOftf^^^ly 
fitted together. By h»dUa< deleraiaate and lumdetermiaate ^sterns ia a 
uniform fashtott, the research here ocmitittttas a sulMttaatlal Innovation in the 
field of system 9*cif Icatica. 

Aaoth«r adyipti^ of oiyr f«|Eppi^^^^^j^|i|cujttoar ff«i9^C9ii i* jthat 

channels. This haste notto| is f|^j|gr*f|^^^^r^^j^ |^ the 

internal operftioa ^si tmi^'^jts^$u^^Mb9m%^!0^ ^^i^tpafilkce^aMti are 

bein^ modeled, mawov^, fffif, ^oi|^^^M|^^ 

a module decides «^^ of ffV||j^^^^||ej^^j»^^^ f»^.^f^fivaf ii^«|«H^red 

by the way vw have drfined the fl^j^,^ 

streams. Decisions based c^^^}Ml^ar||isg jif ^ mt^0m M^h:M^ im»^4^ a* 

being made when the packet's receipt is ackaowOedged. All the notions 

embodied in ^ceeuti^ awqunu^ for padk^ ^sterns have be«B developed in 

such a way as to be c«»dst«ftt with reii«ct to the physical properties of the 

systems. Thus, executk» sequences as pj»s»ted htam aot only describe system 

, ..- .-, , '.■-^j^ „;-<: :, 'u,-:.-i: iirtf-; .[O'i iKl arret* ,'I Jit :;>t.' N"><!S- 

behavior and ^ow for formal verifleati«ft, but also support appropriate 
conceptual abstractions. 

In addition to the hasic d<^vel)5|||B^i|t, of o»^,^speci?|fati^ ^lod^awe 
have demonstrated $U««^ic«amity to w^f3^^ ^^ v»^8ki||,<»if , ^^yfg^ess 
proofs for three sam^ im^ket systems, to the a^|^ ^ 4he»f ^)E^|?,^jWe 
stated and proved a na^ber <^ «i^^l«ry ^p^/^:Jfau^,.at ,^^^^$*^^mm^. 
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archit«ctur«i we hvft «xhibitttd a h^h-levsl ^toscriptive fcMrzoaUsm for 
specifying th« iat«r«cUoa of packet modules a&d tystmu with the outside 
world; we have formalixad the concept of what it aeans'for a system to be 
composed from iMdutes and how its (q>eratio& may be ddTi&ed ia terms of the 
behavior of the compoaeat modules; aad we have begua the development of 
methods for f4»mal vwificatimi ctf the correetaess of padwt systMBs. 

Hie WMFk here has opeaed up t^^way fi»',a great d«al of f ui^thor 
research into systMi sipi^teati«m mA vurificatioa. t1i«re mn two principal 
areas opea t&c future iavistii^tiimi Oie use of s^nuu ^d stream operations 
ia extMraal ^pe^leatkos, aad i«i«»Usaltoa ct imx proof ted^^iiuw to more 
comjplex i^st«ms. 

There is ao way to reduce the |(»mji^exity of the external 
Characteristic rtiatioas of modules n^thia a packed iK^jMm, but it is feasible to 
develop hi^ier^levid descriptive foraial^jaBs for jdvatiag streasis ukd their 
operatioas. Recall, for example, the adder module A, which^ adds 
correspoadtag peckMs from its iaput ehaaa^ X imd jR to yi«ld the pmkets for 
its output tiMttft^ S. We dtmraetwtMd its buh^vtor^ by the relation EXTa 
def iaed by 

((x,r), (t)) € EXTa <•> #• *Mn(*K, #r) and tClJ ■ xCl] ♦ r[l] VI4 #t; 
at a higher level, we ^ould be able to vtow ^is relation 9s, a fuactional 
operation on straams, expressed as s • x •i' r. (^ course, in order to use such 
higher-level 4«sertpllOBS Koi^taUy in prm^s, we would aeed* to dovtiop a 
method^ogy tot p^rfdra^ various msa^p^^ With suc^ a 
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methodology, it seems that correctness proofs can be further simplified by- 
bringing the level of formal description closer to our conceptual view of 
packet systems and their operation. 

There is even more room for furth^er yj?sea|:ch i^ studying the 
development of a general proof methodology for y?r||'jf'1i|g^^^ 
Given a particular packet system, it is a lengthy exercise to work out the 
details of a correctness proof, but a general proof methodology would yield a 
systematic approach to the art of proof generation. We now discuss some of 
the issues involved in abstracting the correctness proofs we devised. 

All of our correctness proofs have both a consistency p^t and a 
synthesis part. The consistency part is set up to show that for a given 
execution sequence, the system input and output slices «it^y the external 
specifications for the system. Since the external s|^«(:ificati<^^ are givfn in 
terms of streams, the consistency part consists of j^owlngJ^BtyarijOUS streams 
satisfy desired properties. For our proofs, tl^esejpro|ifKtUf^( r^ljlte to thf^ size 
and elements of the streams. Accordingly, the co|U!i|;tency pocticin of a 
correctness proof is often divided into two parts: a size condition and an 
element condition. The synthesis portion of a corirectness proof ea^W« the 
construction of execution sequences to realize given system behavior. These 
two parts, consistency and synthesis, compose the framework of a correctness 
proof foi- any packet system. 

In order to produce a correctness proof for, t% g^nejial case pf an 
arbitrary packet system, one must develop a set of top)^ for hjiin^ling the p^rts 
of a proof mentioned above. We now discuss each of these parts in detail. 
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For the omsisteacy porUon of a correctness proof, we need to 
establish chains of equaUtira connecting the various i^stein, input and Q^i^tput 
streams. Construction of such chains, of courM, is accomplished throu|^ the 
use of the external specifications of the component modules of the system. 
With all Irtrt the most trivial of systems, Warate chains must be set up to 
handle the siiii «td i^emrat prc^pierties oi the channel streams. 

In our pRx^s of the systems C and S, we made use of special limit 
lemmas to complete the size chains. The Sum Umit Lemnui, for eacample, 
asserted that the limit of a term wise sum of two streuns is the suin of the 
limits of the two streams. MathemAtically speaking, we may view this 
lemma as stt^IaUag that sums and UMts "ctmimute'' under appropriate 
conditioiu. Such a commutativity property essentially states that the termwise 
stream Imm c^raticm is cominium$ in a cwt^n mathematical sense. For an 
arbitrary pax^kxt syirti&M in genw^, omUnuity lemmas such as these are needed 
in ordWr to eita^Sih relations among streuas in a system's limit state from 
corresponding rel^ti>as ^at hold for in^mnediate states. A fairly large class 
of arifthn^tic and loi^yc^ opei^tions satiitfy the de^red continuity properties. 
It may be wise to restrtet the class of padut ^^ems to include only those 
behshriors for whteh the ^ze Koperties are continuous. 

There is m entirely different conceptual abstraction associated with 
the element propertiM in a consistency proof. In order to relate particular 
output packet v^ims with ccnrrespond^ input packet values, it is in general 
necessary to tnee the paoaga bit individual packets through the internal 
chmne^ crthe sys«Mtt. This becomes a difficult task even with relatively 



- 127 - 

simple systems such as S, since the transmission and acknowledgment of a 
packet are traced through an entire series of applications of the system's 
connection properties and the specifications of the component modules. In 
order to obtain a general proof methodology, it is essential to develop some 
formalism for describing and deriving properties of the packet transmission 
pathways within a system. In the system C, for example (see figure 5.3-1), 
we should be able to formally state that any packet received on channel X 
will be passed through module A onto channel S and then through module D 
onto both channels R and Y. By a judicious use of appropriate descriptive 
tools, a high-level formalism for manipulating properties such as these should 
be achievable. 

There is another approach we may take towards consistency proofs. 
In the characterization theorem for acyclic systems given in the preceding 
chapter, one direction of proof did not require that the systems be acyclic. 
We proved that in any complete execution sequence for any packet system, 
cyclic as well as acyclic, if the external characteristic relations for all the 
modules are continuous, then the system's limit state satisfies all these 
external relations simultaneously. It may seem that this result would make 
consistency proofs almost trivial, but continuity must be established in order 
to use it. This alternative approach, although it does not reduce the 
complexity of consistency proofs, may be more suitable for developing a 
generalized proof methodology than the ad iioc approach used in proving the 
three sample systems. 
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For the synthesis portion of a correctness proof, there is an approach 
to proof methodology that follows as a logical outgrowth of the conceptual 
notions available to the system designer. It is the designer's task to realize 
certain desired behavior through interconnections of various modules, w^hich 
means that the designer must envision how packets are to be routed through 
the system in order to achieve the intended actions. The designer really goes 
through a conceptual simulation process of the system's behavior. The logical 
framew^ork for a synthesis proof is thus already present as one of the 
elements of the system design process. Again, for a general proof 
methodology, one would need to develop some formalism for describing 
sequences of routings of packets through the various modules in a system. In 
the particular proofs we presented, there was a regular, cyclic structure to 
these routings. It is reasonable to expect that a similar regularity be present 
in the internal behavior of more complex systems. Exploiting this regularity 
should turn out to be helpful in constructing synthesis proofs for packet 
systems. 

As w^e mentioned in the preceding section, the lemmas we developed 
for our three sample proofs are suitable for use as more general tools. 
Ajiother area for future research is a determination of the scope of their 
applicability and the development of a more comprehensive set of tools for 
system verification. 

In general, the study of specification and proof methodologies for 
packet systems (and perhaps other kinds of structured systems as w^ell) appears 
to be a fertile area for additional exploration. The current research is really 
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only a first attack on the problem of formal description and verification of 
systems, l)ut the approaches presented here should point the way for further 
investigation. 

6.3. Parting shotc 

A detailed development of a packet system Verification methodology 
based on the ideas presented in the preceding s^itixm. is iaot an easy task, but 
there is a far more difficult problem to be oonsideredH The complexity of the 
systems that are studied will always be a cd&straining factor for formal 
specification and verification, since formal descriptions grow in complexity 
faster than the systems they describe. The use of the acyclic system 
characterization theorem and similar techniques can help reduce the 
complexity inherent in many systems, but this reduction will not make 
complicated systems simple. Proofs for systems significantly larger than the 
ones we have discussed may be unmanageably difficult in practice to 
construct in their entirety. Thus, any specification methodology whose only 
goals deal with formal proofs will have limited practical application to real 
systems. No system designer is going to slosh through all the intricate details 
of a proof for a system that he already "knows" is correct. Moreover, proofs 
can contain errors Just as much as programs or system designs. However, our 
scheme tor packet system specifications supports the hierarchical factoring of 
systems into components that approximate the designer's conceptual vievr. 
Execution sequences and packet streams in our specification model are useful 
tools that may be manipulated by a system designer to test out and to gain 
further insight into the operation of packet systems being designed. In this 
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way. we fMl thmt thu concepts that hMV been devitioped in ova research can 
be applied to aM sig0iiics&tly ia the proceM <tf de^ijpiiaf, uxboi^ and 
understaiidiiif packet systems. 

Ia summarir, the raseasrch here has opened up a new area of formal 
specification and verification of ^^|^tiB|{ systeais, botii hardware and 
software. The pri^ln^itjr of tW« wo^ i» particiil^ly ewUdent 4* the context 
o*^ ^*'^w*" system des^ The a|»rfw«:hei «id |(iihftijiJ^,^^^^ *•«» 

developed here are tif^vU in th^ dwa right and atfp h#l^.pf^t tjM wa^f for 
future work in u^mrptanding amd v^C^in^.^ysteias. 
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